Update PHP and OpenSSL to the latest Version

Got a feature request? Great! Post your ideas here!

Moderator: Lillian.W@AST

Post Reply
fritzboxuser
Posts: 49
youtube meble na wymiar Warszawa
Joined: Mon Sep 07, 2015 6:40 pm

Update PHP and OpenSSL to the latest Version

Post by fritzboxuser »

hello asustor team,

can we have an updatet version of php and openssl to fix the latest cve's ?

Code: Select all

 
CVSS	CVE	Summary	Affected software

5.0	CVE-2017-3735	While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.	OpenSSL 1.0.2k

4.3	CVE-2017-3738	There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.	OpenSSL 1.0.2k

4.3	CVE-2017-3737	OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.	OpenSSL 1.0.2k

7.8	CVE-2017-11142	In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.	PHP 5.6.30

7.5	CVE-2017-12933	The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.	PHP 5.6.30

6.8	CVE-2017-11628	In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a stack-based buffer overflow in the zend_ini_do_op() function in Zend/zend_ini_parser.c could cause a denial of service or potentially allow executing code. NOTE: this is only relevant for PHP applications that accept untrusted input (instead of the system's php.ini file) for the parse_ini_string or parse_ini_file function, e.g., a web application for syntax validation of php.ini directives.	PHP 5.6.30

5.0	CVE-2017-16642	In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension's timelib_meridian handling of 'front of' and 'back of' directives could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: this is a different issue than CVE-2017-11145.	PHP 5.6.30

5.0	CVE-2017-11145	In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension's timelib_meridian parsing code could be used by attackers able to supply date strings to leak information from the interpreter, related to ext/date/lib/parse_date.c out-of-bounds reads affecting the php_parse_date function. NOTE: the correct fix is in the e8b7698f5ee757ce2c8bd10a192a491a498f891c commit, not the bd77ac90d3bdf31ce2a5251ad92e9e75 gist.	PHP 5.6.30
fritzboxuser
Posts: 49
Joined: Mon Sep 07, 2015 6:40 pm

Re: Update PHP and OpenSSL to the latest Version

Post by fritzboxuser »

these are real safety gaps that have to be fix

why no one care about this @asustor?
joe
Posts: 62
Joined: Fri Feb 28, 2014 2:59 am

Re: Update PHP and OpenSSL to the latest Version

Post by joe »

fritzboxuser wrote:these are real safety gaps that have to be fix
why no one care about this @asustor?
They might care if they knew. They don't frequent this forum much. You could try and raise a support ticket to see where that gets you: http://support.asustor.com/
fritzboxuser
Posts: 49
Joined: Mon Sep 07, 2015 6:40 pm

Re: Update PHP and OpenSSL to the latest Version

Post by fritzboxuser »

already done
fritzboxuser
Posts: 49
Joined: Mon Sep 07, 2015 6:40 pm

Re: Update PHP and OpenSSL to the latest Version

Post by fritzboxuser »

after a few day i have become an answer to this

Code: Select all

Hello XXX, 

Our engineer is still working on it. 

The reason for the delay is that the update version involve in big changes on our current system.

So our engineer is trying to find out the best way to upgrade without over vamp everything. 

Best Regard, 

Tony Chen 
+886-2-7737-0888 #3901
Technical Support Department
ASUSTOR Inc.,

Live demo: http://www.asustor.com/live_demo
Review & Awards: http://www.asustor.com/news/review?lan=en
ASUSTOR College: http://www.asustor.com/online/College?lan=en
Official forum: http://forum.asustor.com/
Official Youtube Channel: http://www.youtube.com/user/MarketingASUSTOR
Official facebook fan page: https://www.facebook.com/ASUSTOR.INC?fref=ts
Official Twitter: https://twitter.com/ASUSTOR
Post Reply

Return to “Feature Requests”