I'm up to date with the latest for CentOS 6.6.
I've checked the changelog for php-5.3.3 and CVE 2015-0232 isn't referenced.
I did see that the fix was backported to PHP 5.6.5, 5.5.21, and 5.4.37.
But no reference to 5.3.x, so no update was found, and the bug was closed.
I see that PHP 5.3 reached end of life on Aug 14, 2014.
Does this mean that CentOS 6.x will not be a PCI compliant base anymore since it relies on PHP 5.3 as its base?
PHP fails PCI compliance for CVE 2015-0232
Re: PHP fails PCI compliance for CVE 2015-0232
You have to follow https://bugzilla.redhat.com/CVE-2015-0232 and the dependent bugs (not public yet)
PHP 5.3 is EOL upstream but still maintained by Red Hat (so also in CentOS)
As impact was evaluated to "moderate", no urgency update (but probably one later)
PHP 5.3 is EOL upstream but still maintained by Red Hat (so also in CentOS)
As impact was evaluated to "moderate", no urgency update (but probably one later)
Re: PHP fails PCI compliance for CVE 2015-0232
I had looked at the bug, but not sure if/where I could/should comment.
PHP 5.3 is failing for 3 CVE's: CVE 2015-1351, CVE 2015-0232 and CVE 2014-8142.
Our system has been failed for PCI compliance, and will revoke our "privilege" to accept credit cards within a few days.
Is there anywhere that it is stated that RedHat is working on these and maybe I can possibly request an extension?
Or would it make sense to get a newer copy of PHP that has this patched for CentOS 6? (and if so, do you have any recommendations)?
Thanks!
PHP 5.3 is failing for 3 CVE's: CVE 2015-1351, CVE 2015-0232 and CVE 2014-8142.
Our system has been failed for PCI compliance, and will revoke our "privilege" to accept credit cards within a few days.
Is there anywhere that it is stated that RedHat is working on these and maybe I can possibly request an extension?
Or would it make sense to get a newer copy of PHP that has this patched for CentOS 6? (and if so, do you have any recommendations)?
Thanks!
Re: PHP fails PCI compliance for CVE 2015-0232
> Is there anywhere that it is stated that RedHat is working on these and maybe I can possibly request an extension?
Red Hat customers can ask Red Hat support
CentOS users have to be patient.
Having dependent bugs show something is happening, but I CAN'T say when.
I don't know any "serious" 3rd party repository which maintains a PHP 5.3 stack.
Switching to a 3rd party repo will also mean switching to 5.4 or greater.
Red Hat customers can ask Red Hat support
CentOS users have to be patient.
Having dependent bugs show something is happening, but I CAN'T say when.
I don't know any "serious" 3rd party repository which maintains a PHP 5.3 stack.
Switching to a 3rd party repo will also mean switching to 5.4 or greater.
Re: PHP fails PCI compliance for CVE 2015-0232
I'd be happy to upgrade to 5.4 or greater.
What would you recommend for the best/stable/secure php version, and where to get it? (yum repository that is).
What would you recommend for the best/stable/secure php version, and where to get it? (yum repository that is).
Re: PHP fails PCI compliance for CVE 2015-0232
I don't think there is a better version
5.4 is maintained upstream, but in security mode only (no more bugfix), will be EOL soon
5.5 and 5.6 are the current stable versions. Maintained upstream
See http://wiki.centos.org/AdditionalResources/Repositories
And, of course, my sign.
5.4 is maintained upstream, but in security mode only (no more bugfix), will be EOL soon
5.5 and 5.6 are the current stable versions. Maintained upstream
See http://wiki.centos.org/AdditionalResources/Repositories
And, of course, my sign.