While much of the security world is consumed with the latest branded vulnerability (last week it was POODLE), the open-source PHP programming language fixed some very serious bugs.
PHP is widely deployed across the Internet and is the language used to power much of the world’s leading Content Management Systems (CMS) and blogs (including this one).
In the PHP 5.6.2 update, four security vulnerabilities are being fixed including: CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. Bug #68089 does not yet have a CVE number but it’s a non-trivial Null byte injection flaw.
PHP 5.4.34 is being patched for six vulnerabilities including CVE-2014-3668, CVE-2014-3669 and CVE-2014-3670. The non-CVE number issues include bug #66242, 67985, 68089 and 41631.
Across both PHP 5.4.x and PHP 5.6 updates, the CVE-2014-3669 is one of the most serious.
“An integer overflow flaw in PHP’s unserialize() function was reported, a Red Hat security advisory warns. “If unserialize() were used on untrusted data, this issue could lead to a crash or potentially information disclosure.”
Sean Michael Kerner is a senior editor at InternetNews.com. Follow him on Twitter @TechJournalist