After the first security update failed to properly address the PHP-CGI issue made public by mistake a few days ago, the PHP Group made another attempt to fix the source code disclosure and remote code execution vulnerabilities.
PHP 5.4.3 and PHP 5.3.13 resolve CVE-2012-2311 and CVE-2012-1823, the CVEs associated with the PHP-CGI bug.
This time it appears that PHP got it right.
“I have tested my own exploit against the new version (5.4 only, I have no 5.3 setup) and there does not seem to be a possibility to exploit the vectors opened in CVE-2012-2311 and CVE-2012-1823. These issues seem to be fixed now,” security expert Christopher Kunz wrote.
“I have tested Georg Wicherski’s PoC exploit against 5.4.3 and it seems that CVE-2012-2329 is now also fixed,” he added.
Users are advised to immediately apply the new updates.
PHP 5.4.3 and PHP 5.3.13 are available for download here