[DONE] Upgrade PHP 5.3.13 Med-High risk security issues

[pi3ch]

I did quick security testing on latest stable version of nas4free and found PHP 5.3.13 on 9.1.0.1 - Sandstorm (revision 457) is vulnerable to mutiple security issue including Integer over follow, brute force attack on crypt function etc.

See http://www.php.net/ChangeLog-5.php#5.3.15. Please upgrade it to latest PHP > 5.3.15.

[zoon01]

NAS4Free 9.1.0.1.457 use PHP 5.4.8 (Current stable) version of php.

Revision 385 - Directory Listing
Modified Wed Oct 24 19:27:50 2012 UTC (3 weeks, 5 days ago) by zoon01
Upgrade php to 5.4.8.

As you could see, from rev. 385 and up the latest version is in use

I don't know what tools for test you use but it seems it give false positive on this one.

regards,
zoon01

[pi3ch]

$ uname -r
9.1-RC3

$ php -v
PHP 5.3.13 (cgi-fcgi) (built: May 9 2012 23:44:42)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

$ php-cgi -v
PHP 5.4.8 (cgi-fcgi) (built: Nov 13 2012 04:38:42)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

[daoyama]

$ uname -r
9.1-RC3

$ php -v
PHP 5.3.13 (cgi-fcgi) (built: May 9 2012 23:44:42)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2012 Zend Technologies

$ php-cgi -v
PHP 5.4.8 (cgi-fcgi) (built: Nov 13 2012 04:38:42)
Copyright (c) 1997-2012 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies

Probably, you install as full before, then upgrade to 457?
(Or you install 3rd-party packages.)

php is nerver used for both WebGUI, Web service in NAS4Free 9.1.0.1.457.
Always use php-cgi for WebGUI and Web service.

If you don't need php, you can delete it.

Daisuke Aoyama

[pi3ch]

Yep I have upgraded my full-install from 9.0.0.1 due to this security issue, but then found even after upgrade php is still old version. I haven't installed any other packages other than python.
so apprenly upgrading from 9.0.0.1 to 9.1.0.1 the php package (/usr/local/bin/php) doesnt not get the latest version.

[pi3ch]

Please include the for the upgrade script OR let users who come from 9.0.0.1 know about the outdated packages. There is a potential that other packages might also not get the latest version.

[daoyama]

Please include the for the upgrade script OR let users who come from 9.0.0.1 know about the outdated packages. There is a potential that other packages might also not get the latest version.

Old files should be removed if you upgrade, but I forgot to add php to the list
This was fixed at 509. So, you can't see the php binary if upgrade to 509 or later.

Thanks,
Daisuke Aoyama

[pi3ch]

Cool, will upgrade.