Re: Vulnerable PHP version according to nessus
On Wed, Dec 28, 2011 at 07:59:08AM +, Dave Henley wrote: When I scan my system for vulnerabillities with nessus I get the follwoing high risk output: Synopsis: The remote web server uses a version of PHP that is affected by multiple vulnerabilities. Description According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. Solution Upgrade to PHP 5.3.7 or later. How do I solve this problem and make sure my system is not prone to any PHP vulnerabilities? I would guess that Nessus just checks the version number without taking into account the fact that Debian normally backports security patches instead of upgrading to newer upstream version. You can see from the changelog.Debian.gz which CVEs are patched. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111228083844.GA11810@lucky
Re: Vulnerable PHP version according to nessus
Dave Henley dhenl...@live.com schrieb: --_08b89ad2-8af0-454c-bd3d-7274adf10707_ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I recently installed a Debian Squeeze system along with apache2 and PHP5. The system is fully up-to-date and the following php packages are installed= Nearly all Nessus checks are junk; they only check version numbers, but not whether a vulnerability has actually been fixed. Since we address security vulnerabilities with backports this leads to numerous false positives. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjflq7n.3ki@inutil.org
Re: Vulnerable PHP version according to nessus
2011/12/28 Moritz Mühlenhoff j...@debian.org Dave Henley dhenl...@live.com schrieb: --_08b89ad2-8af0-454c-bd3d-7274adf10707_ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I recently installed a Debian Squeeze system along with apache2 and PHP5. The system is fully up-to-date and the following php packages are installed= Nearly all Nessus checks are junk; they only check version numbers, but not whether a vulnerability has actually been fixed. In order to try to be more accurate, you could enable the Thorough scan option in Nessus. Disable the safe checks options might help, so Nessus does not rely (only) on version number and banners but actually tries to exploit the vulnerability (depending on how the NASL script/plugin is written, of course). However, this could cause that, if there is a denial of service vulnerability or any other that might impact on running services, these might be affected, and maybe the service would have to be restarted or even the host rebooted (for example, if it's a vulnerability that crashes the OS) Since we address security vulnerabilities with backports this leads to numerous false positives. Cheers, Moritz Best Regards, -- Jonás Andradas GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F 3F7F 4D87 9996 E0C6 9372
RE: Vulnerable PHP version according to nessus
Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. Is there a website of some sort to check what kind of CVE`s have been patched? If nessus does not provide a reliable report, what is the best next step to take here? Are there any howto`s or tutorials on howto secure a php installation on a debian system? Any suggestions would be very helpful. From: j.andra...@gmail.com Date: Wed, 28 Dec 2011 12:47:48 +0100 Subject: Re: Vulnerable PHP version according to nessus To: j...@debian.org CC: debian-security@lists.debian.org 2011/12/28 Moritz Mühlenhoff j...@debian.org Dave Henley dhenl...@live.com schrieb: --_08b89ad2-8af0-454c-bd3d-7274adf10707_ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I recently installed a Debian Squeeze system along with apache2 and PHP5. The system is fully up-to-date and the following php packages are installed= Nearly all Nessus checks are junk; they only check version numbers, but not whether a vulnerability has actually been fixed. In order to try to be more accurate, you could enable the Thorough scan option in Nessus. Disable the safe checks options might help, so Nessus does not rely (only) on version number and banners but actually tries to exploit the vulnerability (depending on how the NASL script/plugin is written, of course). However, this could cause that, if there is a denial of service vulnerability or any other that might impact on running services, these might be affected, and maybe the service would have to be restarted or even the host rebooted (for example, if it's a vulnerability that crashes the OS) Since we address security vulnerabilities with backports this leads to numerous false positives. Cheers, Moritz Best Regards, -- Jonás Andradas GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F 3F7F 4D87 9996 E0C6 9372
Re: Vulnerable PHP version according to nessus
On Wed, Dec 28, 2011 at 12:53:13PM +, Dave Henley wrote: Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. Is there a website of some sort to check what kind of CVE`s have been patched? If nessus does not provide a reliable report, what is the best next step to take here? Are there any howto`s or tutorials on howto secure a php installation on a debian system? Any suggestions would be very helpful. Update all software in your www-server. Some useful links: http://security-tracker.debian.org/tracker/ http://www.debian.org/doc/manuals/securing-debian-howto/ - Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111228133153.ga15...@foo.fgeek.fi
RE: Vulnerable PHP version according to nessus
thanks Dave Date: Wed, 28 Dec 2011 15:31:53 +0200 From: he...@nerv.fi To: dhenl...@live.com CC: j.andra...@gmail.com; j...@debian.org; debian-security@lists.debian.org Subject: Re: Vulnerable PHP version according to nessus On Wed, Dec 28, 2011 at 12:53:13PM +, Dave Henley wrote: Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. Is there a website of some sort to check what kind of CVE`s have been patched? If nessus does not provide a reliable report, what is the best next step to take here? Are there any howto`s or tutorials on howto secure a php installation on a debian system? Any suggestions would be very helpful. Update all software in your www-server. Some useful links: http://security-tracker.debian.org/tracker/ http://www.debian.org/doc/manuals/securing-debian-howto/ - Henri Salo
Re: Vulnerable PHP version according to nessus
Depending on your aim with your www-serv, check out suhosin.org. Some patches that harden PHP when used in multi-user envs. Sent from my iPhone On 28 Dec 2011, at 13:45, Dave Henley dhenl...@live.com wrote: thanks Dave Date: Wed, 28 Dec 2011 15:31:53 +0200 From: he...@nerv.fi To: dhenl...@live.com CC: j.andra...@gmail.com; j...@debian.org; debian-security@lists.debian.org Subject: Re: Vulnerable PHP version according to nessus On Wed, Dec 28, 2011 at 12:53:13PM +, Dave Henley wrote: Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. Is there a website of some sort to check what kind of CVE`s have been patched? If nessus does not provide a reliable report, what is the best next step to take here? Are there any howto`s or tutorials on howto secure a php installation on a debian system? Any suggestions would be very helpful. Update all software in your www-server. Some useful links: http://security-tracker.debian.org/tracker/ http://www.debian.org/doc/manuals/securing-debian-howto/ - Henri Salo
