[php-maint] [ilia at prohost.org: [PHP-DEV] PHP 5.2.7 Released]

Sat Dec 6 00:43:51 UTC 2008

Hi,

2008/12/5 sean finney <seanius at debian.org>:
> new version means more security vulnerabilities to process, yay :/
>
> i'll spend some time on it this weekend.
>
> at this point in the release cycle i don't think it's wise to upload
> 5.2.7 to unstable unless we're also planning on branching out for lenny
> and sending a seperate package to t-p-u.  what do you guys think?

A separate upload for lenny is needed because of pcre3's shlibs bump
anyway. Although it might be easier if we don't branch off just yet.

By the way, would it be ok to try to get the current alphas of 5.3 in
experimental? I don't plan to do it before january, but just want to
know everybody's opinion before (oh, and unless I become a DD by then
I'll need a sponsor anyway).

>
>
>        sean
>
> ----- Forwarded message from Ilia Alshanetsky <ilia at prohost.org> -----
>
> From: Ilia Alshanetsky <ilia at prohost.org>
> To: internals Mailing List <internals at lists.php.net>
> Date: Thu, 4 Dec 2008 23:35:56 -0500
> Subject: [PHP-DEV] PHP 5.2.7 Released
>
> The PHP development team would like to announce the immediate availability
> of PHP 5.2.7. This release focuses on improving the stability of the PHP
> 5.2.x branch with over 170 bug fixes, several of which are security
> related. All users of PHP are encouraged to upgrade to this release.
>
> Security Enhancements and Fixes in PHP 5.2.7:
>
>        * Upgraded PCRE to version 7.8 (Fixes CVE-2008-2371)

Irrelevant

>        * Fixed missing initialization of BG(page_uid) and BG(page_gid), reported
> by Maksymilian Arciemowicz.

dunno

>        * Fixed a crash inside gd with invalid fonts (Fixes CVE-2008-3658).

Irrelevant IIRC

>        * Fixed a possible overflow inside memnstr (Fixes CVE-2008-3659).

dunno

>        * Fixed incorrect php_value order for Apache configuration, reported by
> Maksymilian Arciemowicz.

can't remember seeing that one

>        * Fixed safe_mode related security issues detailed in CVE-2008-2665 and
> CVE-2008-2666.

Irrelevant (although already covered by the set of gentoo patches I proposed).

>        * Crash with URI/file..php (filename contains 2 dots) (Fixes
> CVE-2008-3660)

I remember seeing this one somewhere.

>        * IMAP toolkit crash: rfc822.c legacy routine buffer overflow. (Fixes
> CVE-2008-2829)

dunno

>
> Some of the key enhancements in PHP 5.2.7 include:
>
>        * Fixed several memory leaks inside the readline and sqlite extensions

sqlite is the only one that matters; shouldn't be too hard to get the
patch from cvs-

>        * A number of corrections relating to date parsing inside the date
> extension
>        * Fixed bugs relating to data retrieval in the PDO extension
>        * A series of crashes in various areas of code were resolved
>        * Several corrections were made to the strip_tags() function in terms of <
> and <?XML handling
>        * A number of bugs were fixed in extract() function when EXTR_REFS flag is
> being used
>        * Added the ability to log PHP errors to the SAPI (Ex. Apache log)
> logging facility
>        * Over 170 bug fixes.
>

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net

Steve Martin  - "I've got to keep breathing. It'll be my worst
business mistake if I don't."