cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2017, with PHP version 5.6.30, 7.0.15, and 7.1.1. This release addresses vulnerabilities related to CVE-2016-10161, CVE-2016-10162, CVE-2017-5340, CVE-2016-7479, CVE-2016-10158, CVE-2016-10159, and CVE-2016-10160. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.30, all PHP 7.0 users to upgrade to version 7.0.15, and all PHP 7.1 users to upgrade to version 7.1.1.
AFFECTED VERSIONS
All versions of PHP 5.6 through 5.6.29
All versions of PHP 7.0 through 7.0.14
All versions of PHP 7.1 through 7.1.0
SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
CVE-2016-10161 – MEDIUM
PHP 5.6.30
Fixed bug in Standard library related to CVE-2016-10161
PHP 7.0.15
Fixed bug in Core related to CVE-2016-10161
PHP 7.1.1
Fixed bug in Core related to CVE-2016-10161
CVE-2016-10162 – MEDIUM
PHP 7.0.15
Fixed bug in Core related to CVE-2016-10162
PHP 7.1.1
Fixed bug in Core related to CVE-2016-10162
CVE-2017-5340 – MEDIUM
PHP 7.0.15
Fixed bug in Core related to CVE-2017-5340
PHP 7.1.1
Fixed bug in Core related to CVE-2017-5340
CVE-2016-7479 – HIGH
PHP 7.0.15
Fixed bug in Core related to CVE-2017-5340
CVE-2016-10158 – MEDIUM
PHP 5.6.30
Fixed bug in Exif extension related to CVE-2016-10158
PHP 7.0.15
Fixed bug in Exif extension related to CVE-2016-10158
PHP 7.1.1
Fixed bug in Exif extension related to CVE-2016-10158
CVE-2016-10160 – HIGH
PHP 5.6.30
Fixed bug in Phar extension related to CVE-2016-10160
PHP 7.0.15
Fixed bug in Phar extension related to CVE-2016-10160
PHP 7.1.1
Fixed bug in Phar extension related to CVE-2016-10160
CVE-2016-10159 – MEDIUM
PHP 5.6.30
Fixed bug in Phar extension related to CVE-2016-10159
PHP 7.0.15
Fixed bug in Phar extension related to CVE-2016-10159
PHP 7.1.1
Fixed bug in Phar extension related to CVE-2016-10159
SOLUTION
cPanel, Inc. has released updated RPMs for EasyApache 4 on January 25, 2017, with updated versions of PHP 5.6, 7.0, and 7.1. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM’s Run System Update interface.
REFERENCES
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5340
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10161
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10162
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7479
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10158
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10159
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10160
http://www.php.net/ChangeLog-7.php
http://www.php.net/ChangeLog-5.php