Wednesday, May 11, 2016

PHP Security Issue: libgd CVE-2016-3074

A PHP security issue that affects previous versions of PHP was recently announced. A signedness vulnerability (CVE-2016-3074) exists in libgd 2.1.1, which may result in a heap overflow when processing compressed gd2 data.

[Update: 2016/05/11]

We want to let you know that the Bitnami Team worked on updating all the native installers, virtual machines and the cloud providers images of all the affected applications and all of them are already available. We will continue working on updating the Bitnami Cloud Hosting base image.

If for any reason you are not able to update your application, follow the instructions below:

  • Disable the following PHP functions (imagecreatefromgd2, imagecreatefromgd2part, imagegd2) in the php.ini file.
disable_functions = imagecreatefromgd2, imagecreatefromgd2part, imagegd2

  • In Windows systems, the gd extension can be disabled easily. Comment out this line in the php.ini file:
;extension=php_gd2.dll

More information about the fixed version can be found on the GD Graphics GitHub page: https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19

Do you have questions about the security issue? Post to our community forum, and we will be happy to help you.

[Update: 2016/05/12]

The Bitnami Cloud Hosting base image was released today so all of the new servers launched using our platform will include the latest security update.

1 comment:

  1. This comment has been removed by a blog administrator.

    ReplyDelete

Please use our community forum if you have any questions community.bitnami.com