[php-maint] php4/php5 updates for oldstable/stable
seanius at debian.org
Thu Sep 20 20:58:01 UTC 2007
hey guys... it's that time again. php packages fixing the latest batch of
(mostly minor) security issues are prep'd, built, and uploaded to
security-master. here's a list of the CVE's that they fix:
(php4/sarge, php4/etch, php5/etch)
The session_start function in ext/session in PHP 4.x up to 4.4.7 and 5.x up to
5.2.3 allows remote attackers to insert arbitrary attributes into the session
cookie via special characters in a cookie that is obtained from (1)
PATH_INFO, (2) the session_id function, and (3) the session_start function,
which are not encoded or filtered when the new session cookie is generated.
Multiple integer overflows in PHP 4 before 4.4.8, and PHP 5 before 5.2.4,
allow remote attackers to obtain sensitive information (memory contents) or
cause a denial of service (thread crash) via a large len value to the (1)
strspn or (2) strcspn function, which triggers an out-of-bounds read. NOTE:
this affects different product versions than CVE-2007-3996.
The wordwrap function in PHP 4 before 4.4.8, and PHP 5 before 5.2.4, does not
properly use the breakcharlen variable, which allows remote attackers to
cause a denial of service (divide-by-zero error and application crash, or
infinite loop) via certain arguments, as demonstrated by a 'chr(0), 0, ""'
The money_format function in PHP before 5.2.4 permits multiple (1) %i and
(2) %n tokens, which has unknown impact and attack vectors, possibly related
to a format string vulnerability.
The zend_alter_ini_entry function in PHP before 5.2.4 does not properly handle
an interruption to the flow of execution triggered by a memory_limit
violation, which has unknown impact and attack vectors.
Unspecified vulnerability in the chunk_split function in PHP before 5.2.4 has
unknown impact and attack vectors, related to an incorrect size calculation.
(fixed with the strcspn patch above)
Buffer overflow in the php_openssl_make_REQ function in PHP before 5.2.4 has
unknown impact and attack vectors.
let me know if you need anything else from me!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070920/3e73ed66/attachment.pgp
More information about the pkg-php-maint