Open Source PHP and Ruby on Rails Updated for Security

The two security flaws fixed in PHP 5.4.4 and PHP 5.3.14 are related to each other and could potentially enable an attacker to execute arbitrary code. The primary flaw, identified as CVE-2012-2143 is a security issue with the DES (Data Encryption Standard)implementation found within the PHP “crypt()” function.

A Red Hat bugzilla report on the flaw by developer Jan Lieskovsky, notes that the flaw was found in the way DES and extended DES based crypt() password encryption function performed encryption of certain keys. The flaw is that certain keys were truncated before being DES digested, which could potentially have enabled an authentication bypass.