PHP5.2/5.3Hash vulnerability patch released

The previous day, information showed that many language versions, including PHP, Java, and Ruby, have vulnerabilities. Laruence (Sina Weibo), a member of the PHP official development team, indicates that attackers can create Hash conflicts to launch DoS attacks, and provides instances. This attack method is very harmful, attack cost... "> <LINKhref =" http://www.php100.com//statics

The previous day, information showed that many language versions, including PHP, Java, and Ruby, have vulnerabilities. Laruence (Sina Weibo), a member of the PHP official development team, indicates that attackers can create Hash conflicts to launch DoS attacks, and provides instances. This attack method is very harmful, and the attack cost is very small. a desktop can easily destroy dozens and hundreds of servers.

This vulnerability is equivalent to a DDoS attack on most of the world's websites! The damage level is definitely a nuclear bomb level. Therefore, the official PHP development team urgently released patches. please fix them as soon as possible.

For PHP, all versions of <= 5.3.8, <= 5.4.0RC3 are affected by this vulnerability. PHP 5.3.9 and PHP 5.4.0 already contain patches for this vulnerability. However, because the two versions are still in the RC status, they cannot be used for production server upgrades. As for PHP 5.2, the official development team said it would not release a new version for this vulnerability.

　　

 

The official solution currently provides a Patch for your PHP environment, which can be used in both 5.2 and 5.3. The Patch address is as follows:

Https://github.com/laruence/laruence.github.com/tree/master/php-5.2-max-input-vars

Usage:

1. cd to php src, run: patch-p1 <php-5.2. *-max-input-vars.patch

2. the latest PHP 5.3.9-RC4 has fixed this vulnerability. 5.3 of users can directly upgrade to 5.3.9-RC4.

Of course, if you do not want to update to an RC version, you can also easily modify the above patch and apply it to the corresponding version of 5.3.

Laruence also recommends other languages such as java and ruby. please think about the countermeasures in advance. limiting post_size is a temporary solution, but it can be used for temporary solutions.

　　Temporary solution reference: Http://www.54chen.com/php-tech/hashdos.html

In addition, Microsoft has urgently released updates to fix the vulnerability in ASP.net:

Http://netsecurity.51cto.com/art/201112/310628.htm

Query list

Currently, the affected languages and versions are known to be ::

Java, all versions

JRuby <= 1.6.5

PHP <= 5.3.8, <= 5.4.0RC3

Python, all versions

Rubinius, all versions

Ruby <= 1.8.7-p356

Apache Geronimo, all versions

Apache Tomcat <= 5.5.34, <= 6.0.34, <= 7.0.22

Oracle Glassfish <= 3.1.1

Jetty, all versions

Plone, all versions

Rack, all versions

V8 JavaScript Engine, all versions

Languages that are not affected by this issue or whose fix versions are ::

PHP >=5.3.9, >=5.4.0rc4

JRuby> = 1.6.5.1

Ruby> = 1.8.7-p357, 1.9.x

Apache Tomcat >=5.5.35, >=6.0.35, >=7.0.23

Oracle Glassfish, N/A (Oracle reports that the issue is fixed in the main codeline and scheduled for a future CPU)

CVE: CVE-2011-4885 (PHP), CVE-2011-4461 (Jetty), CVE-2011-4838 (JRuby), CVE-2011-4462 (Plone), CVE-2011-4815 (Ruby)