The PHP team has released new versions of the popular scripting language that fixes a number of bugs, including two OpenSSL vulnerabilities. The two OpenSSL flaws patched in the recent update don’t compare to the level of Heartbleed but are infact important. The recent updates, PHP 5.5.14 and 5.4.30 both patch two vulnerabilities, one in which the way OpenSSL handles timestamps on certain certificates, and the other which also involves timestamps in a different way.
“This piece of code is the part of a backwards UTCTime parser. It moves 2 positions to the left, and converts those two characters to an int,” the bug report for one of the OpenSSL flaws states. “However, certs with a validity past 2050 contain GeneralizedTime formatted timestamps allowing 4 characters in the year field instead of the UTCTime this function parses (badly),” the report continues.
The second patched OpenSSL vulnerability lies in the way that PHP handles certain data types for timestamps. A specially crafted certificate is prone to errors.
“The cert was generated by a Windows 2003 server. Note the “valid to” time is “Jun 21 15:59:11 2109 GMT”. In openssl.c PHP checks for V_ASN1_UTCTIME, but triggers the warning when the time is V_ASN1_GENERALIZEDTIME. According to a brief search of the openssl source both are valid expressions of a valid from/to time,” the report states.
Among the two OpenSSL vulnerability patches, PHP 5.5.10 and 5.4.30 patched a number of non-security related bugs.
Logo credit: Wikimedia.org