[php-maint] Bug#479723: php 5.2.6 Security Fixes

Moritz Naumann bugs.debian.org at moritz-naumann.com
Tue May 6 10:16:25 UTC 2008

Package: php5
Version: 5.2.0-8+etch10
Tags: security, upstream, fixed-upstream, etch, lenny

http://www.php.net/ChangeLog-5.php lists several security fixes which are
included in upstream PHP 5.2.6:

    * Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei
      --> CVE-2008-2050 (acc. to
      --> not tracked by Debian yet
    * Properly address incomplete multibyte chars inside escapeshellcmd()
(Ilia, Stefan Esser)
      --> CVE-2008-2051 (acc. to
      --> not tracked yet
    * Fixed security issue detailed in CVE-2008-0599. (Rasmus)
      --> CVE-2008-0599 (acc. to http://www.php.net/ChangeLog-5.php)
      --> already tracked at
    * Fixed a safe_mode bypass in cURL identified by Maksymilian
Arciemowicz. (Ilia)
      --> CVE-2007-4850 (acc. to
      --> already tracked at
      --> missing source package reference at
    * Upgraded PCRE to version 7.6 (Nuno)
      --> CVE-2008-0674 (best match, no reference found)
      --> not tracked yet
      --> possibly missing reference at
          (but should really be tracked seperately)
      --> local code execution through buffer overflow

CC to team at security.debian.org: contains info on security issues not fixed
in Debian Stable
CC to secure-testing-team: contains info on security issues not fixed in
Debian Testing
CC to debian-security-tracker: contains info on missing cross references on

More information about the pkg-php-maint mailing list