Results 1 to 8 of 8

Thread: Has openSUSE 13.2 PHP v.5.6.11?

  1. #1

    Default Has openSUSE 13.2 PHP v.5.6.11?

    Hi All,

    I've made some SAINT scans during PCI Audit preparation. It found one critical problem on my openSUSE 13.2 Server:

    vulnerable PHP version: 5.6.1

    and the resolution is:

    PHP should be upgraded to version 5.4.43 for 5.4.x, or 5.5.27 for 5.5.x, or 5.6.11 for 5.6.x, or higher when
    available, or 7.0 Beta 2 dev for development.

    I updated my SUSE and the version of PHP is 5.6.1-33. Has SUSE 13.2 PHP 5.6.11 version or higher to update? If so, how can I achieve it?

    Thanks,
    Tomasz

  2. #2

    Default Re: Has openSUSE 13.2 PHP v.5.6.11?

    Hi,

    there is a repository which contains the 5.6.11 version of PHP
    http://software.opensuse.org/package/dba-php-5611

  3. #3

    Default Re: Has openSUSE 13.2 PHP v.5.6.11?

    Just a general remark:
    You cannot judge from the version number whether the used php is vulnerable to a certain exploit or not.
    openSUSE backports security fixes to the shipped versions, so openSUSE's 5.6.1 is not really a 5.6.1.

    To see whether a specific fix is included, have a look at the package changelog. ("Changelog" tab in YaST, or run "rpm -q --changelog php5")
    Last edited by wolfi323; 26-Aug-2015 at 03:55.

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,925

    Default Re: Has openSUSE 13.2 PHP v.5.6.11?

    To add to the above, in the most recent version on 13.2, 5.6.1-33, the -33 points to the fact that there are changes (security and recommended updates) added to the naked 5.6.1.
    Henk van Velden

  5. #5

    Default Re: Has openSUSE 13.2 PHP v.5.6.11?

    Hi,

    Thanks for all the answers. I've installed dba-php-5611 package (I can see the package installed - rpm qa | grep php5) , but the Saint still show me the PHP v.5.6.1 vulnerability. Are there any other packages of v5.6.11, which must be installed?

    Tomasz

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    25,925

    Default Re: Has openSUSE 13.2 PHP v.5.6.11?

    It would be better (for you and us) to know what exectly that SAINT is testing. When it tests the version number it tests the wrong thing at least in an openSUSE environment.
    Henk van Velden

  7. #7

    Default Re: Has openSUSE 13.2 PHP v.5.6.11?

    Quote Originally Posted by tomaszdafil View Post
    Thanks for all the answers. I've installed dba-php-5611 package (I can see the package installed - rpm qa | grep php5) , but the Saint still show me the PHP v.5.6.1 vulnerability. Are there any other packages of v5.6.11, which must be installed?
    I suppose you need dba-apa24-php-5611 too.
    And you would probably need to configure Apache to use that module, as it installs to some non-standard location (/DBA/apache/), or maybe install one of the dba-apache packages from that repo too.

    Personally I would rather install 5.6.12 from the semi-official devel:languages:php repo though (devel project for Tumbleweed).
    Just add the repo and do a full vendor switch:
    http://download.opensuse.org/reposit.../openSUSE_13.2
    https://en.opensuse.org/SDB:Vendor_c..._Vendor_change

  8. #8

    Default Re: Has openSUSE 13.2 PHP v.5.6.11?

    FYI: I was just told, that SAINT goes with the results it gets back from the check, which in most times is a banner output, which means SAINT received a version number. There is also a a credentialed/Authenticated scan to give SAINT access to dig more into the packages installed and not just the banner version. I've tried both, but had the same vulnerabilities.

    Anyway I got wolfi323 advice and installed v.5.6.12 repo. After restarting all is grant. Saint is happy and I'm happy.

    Thanks for your help.

    Tomasz

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •