[Pkg-mediawiki-devel] [MediaWiki-announce] MediaWiki and PHP 5.3.5/5.2.17

Tim Starling tstarling at wikimedia.org
Thu Jan 13 04:05:24 UTC 2011

If you're running MediaWiki on a 32-bit platform, you should upgrade
to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux
distribution which includes a fix for CVE-2010-4645. If you run
MediaWiki on a 32-bit platform with an earlier version of PHP, you
will be vulnerable to a denial-of-service vulnerability.

CVE-2010-4645 is a vulnerability which causes the conversion from a
string to a floating-point number to take forever, for certain special
strings. PHP's weak typing means that such conversion can take place
implicitly, for example in code like "$string > 0". I can confirm that
MediaWiki has modules which will convert user input to a
floating-point number. Conversion can be triggered by an attacker with
no special privileges.

PHP release announcement:

Updated Ubuntu packages:

-- Tim Starling

MediaWiki announcements mailing list
To unsubscribe, go to: 

More information about the Pkg-mediawiki-devel mailing list