PHP Update error with stephdl

Support
,
1

Hi there!

I have a Nethserver running with SOGO, NEXTCLOUD and latest updates, but the PHP version is very old, and my pentest says i should update.
i tried to update this with the steph-dl solution but i get an error on

yum install php72-php-dba php73-php-dba

–> Finished Dependency Resolution
Error: Package: php73-php-dba-7.3.9-1.el7.remi.x86_64 (remi-safe)

  •       Requires: liblmdb.so.0.0.0()(64bit)*

Error: Package: environment-modules-3.2.10-0.el7.remi.x86_64 (remi-safe)

  •       Requires: libtcl8.5.so()(64bit)*

Error: Package: php72-php-dba-7.2.22-1.el7.remi.x86_64 (remi-safe)

  •       Requires: liblmdb.so.0.0.0()(64bit)*
  • You could try using --skip-broken to work around the problem*
  • You could try running: rpm -Va --nofiles --nodigest*

7.6.1810 (final)
PHP 5.4.16 (cli) (built: Oct 30 2018 19:30:51)

Thanks for reading!

2

Would you please elaborate more what the test says about PHP?

3

I tried it with pentest-tools.com, these are the high risk issues rated with 7.5 points.

CVE-2019-9641
An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before
7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in
exif_process_IFD_in_TIFF.

CVE-2019-9023
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before
7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read
instances are present in mbstring regular expression functions when supplied
with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c,
ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c,
ext/mbstring/oniguruma/enc/unicode.c, and
ext/mbstring/oniguruma/src/utf32_be.c when a multibyte

CVE-2019-9021
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before
7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading
functions in the PHAR extension may allow an attacker to read allocated or
unallocated memory past the actual data when trying to parse the file name, a
different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c.

CVE-2019-9020
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before
7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can
lead to an invalid memory access (heap out of bounds read or read after free).
This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c.

CVE-2015-4643
Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42,
5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute
arbitrary code via a long reply to a LIST command, leading to a heap-based
buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for
CVE-2015-4022.

CVE-2017-7679
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read
one byte past the end of a buffer when sending a malicious Content-Type
response header.

4

First you have to install the stephdl repository, a wiki is here.

After tha you have to install the remi rpm and php-scl by enabling stephdl-repo. For wiki look here.

If you have finished installation, you can choose the version at the gui.

5

I have already done this before… installed some updates, same error now.

--> Finished Dependency Resolution
Error: Package: php73-php-dba-7.3.9-1.el7.remi.x86_64 (remi-safe)
           Requires: liblmdb.so.0.0.0()(64bit)
Error: Package: environment-modules-3.2.10-0.el7.remi.x86_64 (remi-safe)
           Requires: libtcl8.5.so()(64bit)
Error: Package: php72-php-dba-7.2.22-1.el7.remi.x86_64 (remi-safe)
           Requires: liblmdb.so.0.0.0()(64bit)
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest
6

yum install php72-php-dba php73-php-dba --enablerepo=epel,ce-base,remi-safe

https://wiki.nethserver.org/doku.php?id=php-scl&s[]=stephdl&s[]=repo#install_php_rpms

I have the feeling that epel is not enabled

7

The security tests use to check the php version but, when possible, Red Hat ports security updates to the (previous) php versions they support. Same applies to its derivates (CentOS and therefore NethServer).

For NethServer 7, if you’ve the latest updates, the mentioned issues are supposed to be fixed: CVE-2019-9641, CVE-2019-9023, CVE-2019-9021, CVE-2019-9020, CVE-2015-4643, CVE-2015-4022, CVE-2017-7679.

1 Like
8

Thank you, this worked for me!

9

Check what repositories are enabled, I think you jave an issue

10

FWIW, i ran same test on a mailserver (webtop and roundcube installed).
These are the results.

Vulnerabilities found for server-side software

Risk Level CVSS CVE Summary Exploit Affected software
7.5 CVE-2019-9641 An issue was discovered in the EXIF component in PHP before 7.1.27, 7.2.x before 7.2.16, and 7.3.x before 7.3.3. There is an uninitialized read in exif_process_IFD_in_TIFF. N/A PHP 5.4.16
7.5 CVE-2019-9023 An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcomp.c, ext/mbstring/oniguruma/regexec.c, ext/mbstring/oniguruma/regparse.c, ext/mbstring/oniguruma/enc/unicode.c, and ext/mbstring/oniguruma/src/utf32_be.c when a multibyte regular expression pattern contains invalid multibyte sequences. N/A PHP 5.4.16
7.5 CVE-2019-9021 An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file name, a different vulnerability than CVE-2018-20783. This is related to phar_detect_phar_fname_ext in ext/phar/phar.c. N/A PHP 5.4.16
7.5 CVE-2019-9020 An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc/xml_element.c. N/A PHP 5.4.16
7.5 CVE-2015-4643 Integer overflow in the ftp_genlist function in ext/ftp/ftp.c in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 allows remote FTP servers to execute arbitrary code via a long reply to a LIST command, leading to a heap-based buffer overflow. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4022. N/A PHP 5.4.16
7.5 CVE-2017-7679 In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. N/A http_server 2.4.6
6.8 CVE-2018-1312 In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest authentication challenge, the nonce sent to prevent reply attacks was not correctly generated using a pseudo-random seed. In a cluster of servers using a common Digest authentication configuration, HTTP requests could be replayed across servers by an attacker without detection. N/A http_server 2.4.6
6.8 CVE-2017-15715 In Apache httpd 2.4.0 to 2.4.29, the expression specified in could match ‘$’ to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. N/A http_server 2.4.6
6.8 CVE-2014-0226 Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c. N/A http_server 2.4.6
6.4 CVE-2017-9788 In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value placeholder in [Proxy-]Authorization headers of type ‘Digest’ was not initialized or reset before or between successive key=value assignments by mod_auth_digest. Providing an initial key with no ‘=’ assignment could reflect the stale value of uninitialized pool memory used by the prior request, leading to leakage of potentially confidential information, and a segfault in other cases resulting in denial of service. N/A http_server 2.4.6
5 CVE-2018-0732 During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o). N/A OpenSSL 1.0.2k
5 CVE-2017-3735 While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g. N/A OpenSSL 1.0.2k
4.3 CVE-2018-0734 The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). N/A OpenSSL 1.0.2k
4.3 CVE-2019-1559 If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable “non-stitched” ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). N/A OpenSSL 1.0.2k
4.3 CVE-2018-0739 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).

Home this helps @dev_team for evaluation of the updates.

11

As noted above:

Scanners that only look at version numbers are less than worthless.

1 Like
12

We have no evaluations to do, nor updates, RHEL provides updates to php54 (default php version), we just use when we can the php scl version, via the virtualhosts with my rpm.

Update core package is not an easy or safe way