Has openSUSE 13.2 PHP v.5.6.11?

Hi All,

I’ve made some SAINT scans during PCI Audit preparation. It found one critical problem on my openSUSE 13.2 Server:

vulnerable PHP version: 5.6.1

and the resolution is:

PHP should be upgraded to version 5.4.43 for 5.4.x, or 5.5.27 for 5.5.x, or 5.6.11 for 5.6.x, or higher when
available, or 7.0 Beta 2 dev for development.

I updated my SUSE and the version of PHP is 5.6.1-33. Has SUSE 13.2 PHP 5.6.11 version or higher to update? If so, how can I achieve it?

Thanks,
Tomasz

Hi,

there is a repository which contains the 5.6.11 version of PHP
http://software.opensuse.org/package/dba-php-5611

Just a general remark:
You cannot judge from the version number whether the used php is vulnerable to a certain exploit or not.
openSUSE backports security fixes to the shipped versions, so openSUSE’s 5.6.1 is not really a 5.6.1.

To see whether a specific fix is included, have a look at the package changelog. (“Changelog” tab in YaST, or run “rpm -q --changelog php5”)

To add to the above, in the most recent version on 13.2, 5.6.1-33, the -33 points to the fact that there are changes (security and recommended updates) added to the naked 5.6.1.

Hi,

Thanks for all the answers. I’ve installed dba-php-5611 package (I can see the package installed - rpm qa | grep php5) , but the Saint still show me the PHP v.5.6.1 vulnerability. Are there any other packages of v5.6.11, which must be installed?

Tomasz

It would be better (for you and us) to know what exectly that SAINT is testing. When it tests the version number it tests the wrong thing at least in an openSUSE environment.

I suppose you need dba-apa24-php-5611 too.
And you would probably need to configure Apache to use that module, as it installs to some non-standard location (/DBA/apache/), or maybe install one of the dba-apache packages from that repo too.

[noparse]Personally I would rather install 5.6.12 from the semi-official devel:languages:php repo though (devel project for Tumbleweed).[/noparse]
Just add the repo and do a full vendor switch:
http://download.opensuse.org/repositories/devel:/languages:/php/openSUSE_13.2
https://en.opensuse.org/SDB:Vendor_change_update#Full_repository_Vendor_change

FYI: I was just told, that SAINT goes with the results it gets back from the check, which in most times is a banner output, which means SAINT received a version number. There is also a a credentialed/Authenticated scan to give SAINT access to dig more into the packages installed and not just the banner version. I’ve tried both, but had the same vulnerabilities.

Anyway I got wolfi323 advice and installed v.5.6.12 repo. After restarting all is grant. Saint is happy and I’m happy.

Thanks for your help.

Tomasz