[php-maint] Re: new version of php4 fixes multiple vulnerabilities

Moritz Muehlenhoff jmm at inutil.org
Mon Mar 5 21:31:19 CET 2007


sean finney wrote:
> php4 (4:4.3.10-19) stable-security; urgency=high
> 
>   * NMU prepared for the security team by the package maintainer
>   * The following security issues are addressed with this update:
>     - CVE-2007-0906: Multiple buffer overflows in various code:
>       * session (addressed in patch for CVE-2007-0910 below)
>       * imap (CVE-2007-0906-imap.patch)
>       * str_replace: (CVE-2007-0906-strreplace.patch)
>       * the zip, sqlite, stream filters, mail, and interbase related
>         vulnerabilities in this CVE do not affect the debian sarge php4
>         source package.
>     - CVE-2007-0907: Buffer underflow in sapi_header_op
> (CVE-2007-0907.patch)
>     - CVE-2007-0908: wddx module information disclosure
> (CVE-2007-0908.patch)
>     - CVE-2007-0909: More buffer overflows:
>       * the odbc_result_all function (CVE-2007-0909-odbc.patch)
>       * various formatted print functions (CVE-2007-0909-printf.patch)
>     - CVE-2007-0910: Clobbering of super-global variables
> (CVE-2007-0910.patch)
>     - CVE-2007-0988: DoS in unserialize on 64bit platforms
> (CVE-2007-0988.patch)  * The package maintainers would like to thank Joe
> Orton from redhat and
>     Martin Pitt from ubuntu for their help in the preparation of this
> update.

Thanks I'll take care.

CVE-2007-0908 isn't enabled in the binary build, so this is just a given
bonus for people with a modified build, correct?

Cheers,
        Moritz



More information about the pkg-php-maint mailing list