Zend Patches High-Risk Security Flaw in PHP
Published: March 4, 2014
by Alex Woodie
Zend Technology last week issued emergency hotfixes for the latest PHP runtimes for IBM i, Windows, and Linux to fix a high-risk security vulnerability in PHP that could enable an attacker to execute arbitrary code on affected systems.
Zend on Thursday announced the immediate availability of Zend Server 6.3 Hotfix 1. The hotfix implements a new release of the PHP language, version 5.5.9, and thereby patches a security flaw in its Zend Server PHP runtimes for IBM i, Windows, and Linux platforms. There is no hotfix for the Zend version 6.3 runtime for Mac OS X.
The patch addresses the "imagecrop()" buffer overflow vulnerability that is referenced in CVE-2013-7226. The vulnerability, caused by improper bounds checking, could enable a malicious user to execute arbitrary code or a denial of service (DOS) attack. It is a "high risk" security vulnerability, according to IBM's ISS X-Force report.
The emergency hotfix comes just over a week after the company shipped Zend Server version 6.3, the first release of the PHP runtime to support the new PHP version 5.5 language. The release of that runtime coincided with the launch of Zend's new long-term support policy, under which Zend expanded its technical support window for older releases of the PHP runtime and language from three to five years.
Ironically, Zend's customers were more concerned about security vulnerabilities discovered in older releases of the PHP runtime that the open source community could not be relied on to fix. But the CVE-2013-7266 vulnerability exists only in the newer PHP releases, versions 5.5 and 5.4. PHP version 5.3--an older release that is one of the targets of Zend's new long-term support program--is not affected by the CVE-2013-7266 vulnerability.
To download the Zend Server version 6.3 Hotfix 1 for IBM i or Windows, go to www.zend.com/en/products/server/downloads.
Congratulations, PHP: You Are Legacy Now
Post this story to del.icio.us
Post this story to Digg
Post this story to Slashdot