fhs
Volume 14, Number 5 -- March 4, 2014

Zend Patches High-Risk Security Flaw in PHP

Published: March 4, 2014

by Alex Woodie

Zend Technology last week issued emergency hotfixes for the latest PHP runtimes for IBM i, Windows, and Linux to fix a high-risk security vulnerability in PHP that could enable an attacker to execute arbitrary code on affected systems.

Zend on Thursday announced the immediate availability of Zend Server 6.3 Hotfix 1. The hotfix implements a new release of the PHP language, version 5.5.9, and thereby patches a security flaw in its Zend Server PHP runtimes for IBM i, Windows, and Linux platforms. There is no hotfix for the Zend version 6.3 runtime for Mac OS X.

The patch addresses the "imagecrop()" buffer overflow vulnerability that is referenced in CVE-2013-7226. The vulnerability, caused by improper bounds checking, could enable a malicious user to execute arbitrary code or a denial of service (DOS) attack. It is a "high risk" security vulnerability, according to IBM's ISS X-Force report.

The emergency hotfix comes just over a week after the company shipped Zend Server version 6.3, the first release of the PHP runtime to support the new PHP version 5.5 language. The release of that runtime coincided with the launch of Zend's new long-term support policy, under which Zend expanded its technical support window for older releases of the PHP runtime and language from three to five years.

Ironically, Zend's customers were more concerned about security vulnerabilities discovered in older releases of the PHP runtime that the open source community could not be relied on to fix. But the CVE-2013-7266 vulnerability exists only in the newer PHP releases, versions 5.5 and 5.4. PHP version 5.3--an older release that is one of the targets of Zend's new long-term support program--is not affected by the CVE-2013-7266 vulnerability.

To download the Zend Server version 6.3 Hotfix 1 for IBM i or Windows, go to www.zend.com/en/products/server/downloads.


RELATED STORY

Congratulations, PHP: You Are Legacy Now



                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot


Sponsored By
SEQUEL SOFTWARE

Ready to move beyond that green screen query tool?

Build customized powerful reports quickly and deliver data
in a format that works for every business level--
including dashboards and outputting data in
XLS, XLSX, PDF, RTF, and HTML.

Full-featured, easy to set up and backed by world-class support,
SEQUEL delivers data fast and clearly while helping to
reduce the IT backlog.

See how SEQUEL can take you beyond Query/400


Editor: Alex Woodie
Contributing Editors: Dan Burger, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Maxava:  Don't wait for a disaster. Start planning today. DR Strategy Guide for IBM i FREE eBook.
System i Developer:  Upgrade your skills at the RPG & DB2 Summit in Dallas, March 18-20.
Northeast User Groups Conference:  24th Annual Conference, April 7 - 9, Framingham, MA


 

More IT Jungle Resources:

System i PTF Guide: Weekly PTF Updates
IBM i Events Calendar: National Conferences, Local Events, and Webinars
Breaking News: News Hot Off The Press
TPM @ EnterpriseTech: High Performance Computing Industry News From ITJ EIC Timothy Prickett Morgan


 
The Four Hundred
Power Systems Coming To The SoftLayer Cloud

The Most Talked About IBM i Trends And Technology

Buy One XIV Array, Get Another For A Buck

Mad Dog 21/21: Will You Still Need Me When ARM's 64?

IBM Layoffs Begin In The U.S. And Canada

Four Hundred Guru
The Case Of The IBM Systems Director And RBAC

The ADO Client Side Of Default Parameters And Named Arguments In DB2 For i

Auto-Answering Record Lock Errors And More On Returning An IBM i Box

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
March 1, 2014: Volume 16, Number 09

February 22, 2014: Volume 16, Number 08

February 15, 2014: Volume 16, Number 07

February 8, 2014: Volume 16, Number 06

February 1, 2014: Volume 16, Number 05

January 25, 2014: Volume 16, Number 04

TPM at EnterpriseTech
Shared Memory Clusters Accelerate Databases

How Priceline.com Rid In-Memory Cache Of Java Jitters

X86 System Sales Grow, Everything Else Shrinks

Adaptive Computing Spans The DigitalGlobe

High Frequency Traders Hedge Bets With IBM Power

Quanta Pushes Foot Inside Enterprise Datacenter Doors

HP Will Chase IBM Accounts To Grow Datacenter Biz

Stacking Up Xeon E7 v2 Chips Against The Competition

Why Amazon Can't Catch Lucera Financial Cloud

Dell Takes A Long View On Datacenters

SAP HANA Wrings Performance From New Intel Xeons

Intel Aims Xeon E7 v2 At Big Memory Workloads

THIS ISSUE SPONSORED BY:

SEQUEL Software
ProData Computer Services
BCD
Linoma Software
COMMON


Printer Friendly Version


TABLE OF CONTENTS
SAP HANA: Just a Sidecar to IBM i, For Now

Alaska Telecom Ditches Tape for LaserVault UBD

Google's New Login Is 'Slick,' But Will It Fly in the Enterprise?

Halcyon Gives IBM i Shops an Edge in MQ Management

IBM Aims to Smooth DevOps with RTC Update

News Briefs and Product Shorts:

Zend Patches High-Risk Security Flaw in PHP . . . m-Power Gets All Gussied Up with New Charts, Graphs . . . Krengel Rejiggers Mailing Automation Lineup . . . RJS Bolsters Report-Delivery Tool . . . Infor Adds Industry-Specific Functionality to M3 . . .

Four Hundred Stuff

BACK ISSUES




 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2014 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement