How can i disable php 5.4

security
php
v7

(Gosch Christian) #1

Hi there, is there a way to disable php 5.4?

I have already installed newer php version(s) with the Stephdl Repository package but a vulnerability scan shows there is still php 5.4 on my site working and shows a lot of CVEs https://pentest-tools.com

This here are the critical once:

Risk Level CVSS CVE Summary Exploit Affected software
7.5 CVE-2014-9912 The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument. N/A PHP 5.4.16
7.5 CVE-2014-3515 The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to “type confusion” issues in (1) ArrayObject and (2) SPLObjectStorage. N/A PHP 5.4.16
7.5 CVE-2014-3669 Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value. N/A PHP 5.4.16
7.5 CVE-2015-0231 Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. N/A PHP 5.4.16
7.5 CVE-2014-9427 sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping’s length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping. N/A PHP 5.4.16
7.5 CVE-2017-7679 In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. N/A http_server 2.4.6

System version
NethServer release 7.5.1804 (final)
Kernel release
3.10.0-862.9.1.el7.x86_64


(Dan) #2

You should be able to choose a different PHP version as your server default. However, it doesn’t look like that scanner is accounting for the fact that RedHat backports security fixes from later software versions. RHEL/CentOS 7.x, for example, is always going to run Apache 2.4.6, but as security issues arise and fixes are published, those will be backported into Apache 2.4.6 and an update released.

That’s a long way of saying that the issues noted probably aren’t actually present in the software on your system.