[php-maint] new version of php4 fixes multiple vulnerabilities

sean finney seanius at debian.org
Mon Mar 5 00:36:06 CET 2007

hey guys,

it's that time again... i've finally managed to get all relevant
combinations of php4/php5/sarge/etch in shape.  for those not following
from home, these fixes are the result of the month of php bugs effort by
the folks at hardened php.  the changelog should give a summary of the

php4 (4:4.3.10-19) stable-security; urgency=high

  * NMU prepared for the security team by the package maintainer
  * The following security issues are addressed with this update:
    - CVE-2007-0906: Multiple buffer overflows in various code:
      * session (addressed in patch for CVE-2007-0910 below)
      * imap (CVE-2007-0906-imap.patch)
      * str_replace: (CVE-2007-0906-strreplace.patch)
      * the zip, sqlite, stream filters, mail, and interbase related
        vulnerabilities in this CVE do not affect the debian sarge php4
        source package.
    - CVE-2007-0907: Buffer underflow in sapi_header_op
    - CVE-2007-0908: wddx module information disclosure
    - CVE-2007-0909: More buffer overflows:
      * the odbc_result_all function (CVE-2007-0909-odbc.patch)
      * various formatted print functions (CVE-2007-0909-printf.patch)
    - CVE-2007-0910: Clobbering of super-global variables
    - CVE-2007-0988: DoS in unserialize on 64bit platforms
(CVE-2007-0988.patch)  * The package maintainers would like to thank Joe
Orton from redhat and
    Martin Pitt from ubuntu for their help in the preparation of this

packages, and the diff.gz are available at:


let me know if you need any further information.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070305/9f6c25a6/attachment.pgp

More information about the pkg-php-maint mailing list