Php 5.2 vulnerablilities

I currently have a web server running PHP 5.2.13 and have recently been told:

Synopsis :

The remote web server uses a version of PHP that is affected by multiple flaws.

Description :

According to its banner, the version of PHP 5.2 installed on the remote host is older than 5.2.15. Such versions may be affected by several security issues :

• A crash in the zip extract method.

• A possible double free exists in the imap extension. (CVE-2010-4150)

• An unspecified flaw exists in 'open_ba开发者_运维技巧sedir'. (CVE-2010-3436)

• A possible crash could occur in 'mssql_fetch_batch()'.

• A NULL pointer dereference exists in 'ZipArchive::getArchiveComment'. (CVE-2010-3709)

• A crash exists if anti-aliasing steps are invalid. (Bug #53492)

• A crash exists in pdo_firebird getAttribute(). (Bug 53323)

• A user-after-free vulnerability in the Zend engine when a '_set()', '_get()', '_isset()' or '_unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)

• A stack-based buffer overflow exists in the 'imagepstext()' function in the GD extension. (Bug 53492 / CVE-2010-4698)

• An error exists when processing invalid XML-RPC requests that can lead to a NULL pointer dereference. (bug #51288) (CVE-2010-0397)

• An error exists in the function 'fnmatch' that can lead to stack exhaustion.

• An error exists in the sqlite extension that could allow arbitrary memory access.

• A memory corruption error exists in the function 'substr_replace'.

• The following functions are not properly protected against function interruptions :

addcslashes, chunk_split, html_entity_decode, iconv_mime_decode, iconv_substr, iconv_mime_encode, htmlentities, htmlspecialchars, str_getcsv, http_build_query, strpbrk, strstr, str_pad, str_word_count, wordwrap, strtok, setcookie, strip_tags, trim, ltrim, rtrim, parse_str, pack, unpack, uasort, preg_match, strrchr, strchr, substr, str_repeat (CVE-2010-1860, CVE-2010-1862, CVE-2010-1864, CVE-2010-2097, CVE-2010-2100, CVE-2010-2101, CVE-2010-2190, CVE-2010-2191, CVE-2010-2484)

• The following opcodes are not properly protected against function interruptions :

ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW (CVE-2010-2191)

• The default session serializer contains an error that can be exploited when assigning session variables having user defined names. Arbitrary serialized values can be injected into sessions by including the PS_UNDEF_MARKER, '!', character in variable names.

• A use-after-free error exists in the function 'spl_object_storage_attach'. (CVE-2010-2225)

I'm not using a lot of these e.g. mssql_fetch_batch(), pdo_firebird getAttribute...

Basically I curious to know if this is all a major concern?

Thanks,

When software updates are released (especially server software and code interpreters), there is always a good reason.

Do yourself a favor and update regularly your software packages. If security advisories have been released, don't wait up and update right away.

There are not a lot of changes to take into consideration between the PHP 5.2 branch and the 5.3 branch. One day, support for the 5.2 branch will be dropped and you'll be forced to upgrade anyway. Take a look at the PHP 5.3.x Migration Guide.

• The following opcodes are not properly protected against function interruptions :
  ZEND_CONCAT, ZEND_ASSIGN_CONCAT, ZEND_FETCH_RW (CVE-2010-2191)

Don't tell me you don't use string concatenation (.) and assignment concatenation (.=) in your code.

A user-after-free vulnerability in the Zend engine when a '_set()', '_get()', '_isset()' or '_unset()' method is called can allow for a denial of service attack. (Bug #52879 / CVE-2010-4697)

=> Doesn't look good.

An unspecified flaw exists in 'open_basedir'. (CVE-2010-3436)

=> Potentially an issue if you rely on open_basedir to prevent access to certain files on your system.

As for the rest, they appear to be performance-related bugs (issues with memory etc.).

That said, there is no reason for you not to update your 5.2 version of PHP. Understandably, jumping up to 5.3.x might not be wise as it could cause your sites to break, but the 5.2 branch is actively being maintained.

Ignoring this is a major concern, yes:

http://www.php.net/archive/2010.php#id2010-12-16-1

The PHP development team would like to announce the immediate availability of PHP 5.2.16. This release marks the end of support for PHP 5.2. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.