Hi Vasiliy,
We regularly updating packages on AIX toolbox for security fixes.
For example there are 4 releases of PHP in last one year on AIX toolbox.
For the outstanding vulnerability also we are in process of releasing updated version of PHP.
These fixes takes some time due to process and other work already plan.
But we try to deliver fix within couple of months since vulnerability reported.
------------------------------
SANKET RATHI
------------------------------
Original Message:
Sent: Wed August 18, 2021 03:06 PM
From: Vasiliy Gokoyev
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
@Erich Wolz
I think you are suggesting to hide the version of the PHP so that nessus is unable to determine what is running on the backend. That sure is a neat trick but it's not what I'm after. I'd like to see AIX rpms keep up with the releases of the software on a regular basis. The currently offered pkg 7.4.13-2 is from November last year (possibly with some more recent CVEs baked in), 9 minor revisions behind
------------------------------
Vasiliy Gokoyev
Original Message:
Sent: Wed August 18, 2021 02:17 PM
From: Erich Wolz
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
@Vasiliy Gokoyev If this vuln is being flagged because you're also running an httpd daemon (in particular, the /opt/freeware version of Apache rather than IBM HTTP Server) be sure that your server is not configured with the default "ServerTokens Full" (i.e. change it to "ServerTokens Prod") -- which is the only reason why the downlevel PHP is being flagged at all.
@SANKET RATHI I would recommend changing the AIX Toolbox version of the httpd package such that /opt/freeware/etc/httpd/conf/extra/httpd-default.conf specifies "ServerTokens Prod" (and is uncommented by default in /opt/freeware/etc/httpd/conf/httpd.conf and /opt/freeware/etc/httpd/conf/httpd.conf_64). I realize you may not be the one in a position to do this... in which case I assume you might know who the right person is.
------------------------------
Erich Wolz
Original Message:
Sent: Wed August 18, 2021 01:58 PM
From: Vasiliy Gokoyev
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
at least these are being flagged
Nessus | PHP 7.4.x < 7.4.18 / 8.x < 8.0.5 Multiple Vulnerability | Plugin ID: 144947, 146311, 149348 |
this appears to be a recurring theme with the AIX rpms. The packages are not released on a regular schedule or CVEs are applied but without incrementing the reported version (openssl is one notorious example). The scanners are not able to detect if a particular CVE was fixed by applying a patch when the binaries report an outdated revision.
------------------------------
Vasiliy Gokoyev
Original Message:
Sent: Wed August 18, 2021 01:39 AM
From: SANKET RATHI
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
Hi Vasiliy,
We have published php-7.4.13.
Since then we saw one CVE-2021-21705 and we will publish fix for that.
Are you looking for some other fixes also that is not part of 7.4.13 ? Can you please share the CVE.
------------------------------
SANKET RATHI
Original Message:
Sent: Thu August 12, 2021 04:51 PM
From: Vasiliy Gokoyev
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
hello. for the past several months Nessus scans are flagging the IBM supplied php rpm versions.
Our standard reply is that we are waiting for the vendor (IBM) to supply an update. However no newer version is in sight for many months or any sort of a predictable release schedule.
Can IBM please try to keep up with the version releases, especially for security bug ridden products like PHP?
The sec team does not produce a good security scorecard to the IBM OS when we some packages are left so much behind on updates.
Thanks
------------------------------
Vasiliy Gokoyev
Original Message:
Sent: Mon May 03, 2021 07:19 AM
From: SANKET RATHI
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
php-7.4.13 has been published from AIX toolbox.
------------------------------
SANKET RATHI
Original Message:
Sent: Wed April 28, 2021 09:39 AM
From: SANKET RATHI
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
Hi Vasiliy,
We are in process of publishing PHP 7.4.x. I hope it should be available by tomorrow or day after on AIX toolbox.
We have a process where we monitor the packages and try to update them regularly.
But probably we need to refine our process to make sure we do not continue with out of support packages.
Thank you for providing feedback and we will improve our process on out of support packages.
------------------------------
SANKET RATHI
Original Message:
Sent: Tue April 27, 2021 04:05 PM
From: Vasiliy Gokoyev
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
hello
Do you have an update on the release date?
End of support date : 2020/11/30
Announcement : http://php.net/supported-versions.php
Supported versions : 7.3.x / 7.4.x / 8.0.x
In general, is there a way to for IBM stay on top of these end of life announcements and deliver the updates quicker?
------------------------------
Vasiliy Gokoyev
Original Message:
Sent: Fri March 26, 2021 03:55 AM
From: SANKET RATHI
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
Thank you Erich for raising the issue.
Yes we are working on upgrading PHP and hope we will be able to deliver it by end of next month.
------------------------------
SANKET RATHI
Original Message:
Sent: Mon March 15, 2021 12:59 PM
From: Erich Wolz
Subject: Security Scan Reports "Installed version : 7.2.34 Fixed version : 7.3.24" for PHP
However, the most recent version of PHP (and related packages) that is available on the AIX Toolbox for Linux Applications download site is still only v7.2.34.
Any idea when an updated version of PHP will be made available?
------------------------------
Erich Wolz
------------------------------