[php-maint] Re: new version of php4 fixes multiple vulnerabilities
Moritz Muehlenhoff
jmm at inutil.org
Mon Mar 5 21:31:19 CET 2007
sean finney wrote:
> php4 (4:4.3.10-19) stable-security; urgency=high
>
> * NMU prepared for the security team by the package maintainer
> * The following security issues are addressed with this update:
> - CVE-2007-0906: Multiple buffer overflows in various code:
> * session (addressed in patch for CVE-2007-0910 below)
> * imap (CVE-2007-0906-imap.patch)
> * str_replace: (CVE-2007-0906-strreplace.patch)
> * the zip, sqlite, stream filters, mail, and interbase related
> vulnerabilities in this CVE do not affect the debian sarge php4
> source package.
> - CVE-2007-0907: Buffer underflow in sapi_header_op
> (CVE-2007-0907.patch)
> - CVE-2007-0908: wddx module information disclosure
> (CVE-2007-0908.patch)
> - CVE-2007-0909: More buffer overflows:
> * the odbc_result_all function (CVE-2007-0909-odbc.patch)
> * various formatted print functions (CVE-2007-0909-printf.patch)
> - CVE-2007-0910: Clobbering of super-global variables
> (CVE-2007-0910.patch)
> - CVE-2007-0988: DoS in unserialize on 64bit platforms
> (CVE-2007-0988.patch) * The package maintainers would like to thank Joe
> Orton from redhat and
> Martin Pitt from ubuntu for their help in the preparation of this
> update.
Thanks I'll take care.
CVE-2007-0908 isn't enabled in the binary build, so this is just a given
bonus for people with a modified build, correct?
Cheers,
Moritz
More information about the pkg-php-maint
mailing list