I'm trying to make my server PCI-DSS compliant. I run a third party scanner and it tells me this:
I'm running Ubunutu Server 12.04 LTS, I installed php5 with apt-get. php -v reports PHP 5.3.10-1ubuntu3.4.PHP < 5.3.15 or PHP < 5.4.5 Multiple Vulnerabilities
- An unspecified overflow vulnerability exists in the function '_php_stream_scandir' in the file 'main/streams/streams.c'. (CVE-2012-2688)
- An unspecified error exists that can allow the 'open_basedir' constraint to be bypassed.(CVE-2012-3365)
At the time of this post, when I look at the change logs at http://changelogs.ubuntu.com/changel...u3.4/changelog I can see CVE-2012-2688 is resolved but CVE-2012-3365 is not.
PHP 5.3.10-1ubuntu3.4 is the latest package. What's the best resolve this. Do I need to compile from source or should I wait for a package update? Compiling seems like it could cause a lot of issues and also i would have to recompile for each update.
I was using Ubuntu 10.04 and installed 12.04 to fix pci-dss compliance issues. I was surprised(i just assumed it would be,my own fault) when I found out the latest packaged version of php isn't compliant. Any ideas on whats the best way to deal with this.?