Minor question but: strange Security Update for PHP 7.4 on SLES 15 SP2

SUSE Product Topics SLES Updates
1

Hello,
we use SLES 15 SP2 and ‘zypper info php7’ tells us it’s up to date.
Repository : SLE-Module-Web-Scripting15-SP2-Updates
Name : php7
Version : 7.4.6-3.17.1
Status : up-to-date

We also know that a security patch (https://www.suse.com/de-de/security/cve/CVE-2021-21)
has been installed.

But a security scanner like Nessus tells us, there is a lower PHP version installed and obviously we are vulnerable.

So PHP 7.4.6 is running but we are encouraged to update at least to 7.4.11 which is not available.

I know that if a patch comes out by the PHP maintainers that it is not possible to quickly deploy the version number in a SUSE product.

But what’s SUSE’s view of this topic?
Why we should stick on version 7.4.6? Is the only chance to solve the minor incident to suppress the X-Powered-By Server flag or strip it down?

Thank you for reading :blush:
Best regards
Andreas

2

@mrv Hi, this is a normal occurrence with the likes of Nessus (Only look at version numbers), bug fixes, security updates (CVE’s) are backported and version numbers don’t necessarily change, hence these sorts of warnings.

If you check the changelog via YaST, rpm or SCC → My Tools → Patches and enter the CVE number for any that your interested in.

3

Hello,
thank you for your response. I know that this CVE has been implemented.
But i am wondering if every network scan customer wants to have such false positives.
So, I believe, it’s better to rewrite the X-Powered-By Flag ( only to send PHP 7.4 because hacker will also get the old PHP information) on each server, rather than tell our own network scanner this is a false positive.

Hm, SUSE itself sends x-powered-by: PHP/7.2.34 behind the AWS Loadbalancer.
(https://suse.com/de-de/)
This PHP version has been released: 01 Oct 2020 I hope there are backported bugfixes too…

Maybe totally disabling the flag X-Powered-By would be the best :slight_smile:

4

@mrv Hi, well the way I look at it, the scanner raises an issue and requires human intervention to verify all is in fact good, can’t be a bad thing?

I’m not a PHP person, so have no idea if good or bad :wink:

5

Hello again,
well, a security scan, which monthly tells me there is something wrong - is not very nice - in particular when you have to report to a manager.
I decided to suppress the whole Response Header Flag: X-Powered-By by using: expose_php = Off in the php.ini file.

Mayby another security guy is reading this thread so that we can discuss this topic.
Which setting would be the best for blocking interesting hackers : hide the flag totally, or to send only the major version number?

Anyway, thank you for your fast response as always.