[php-maint] Bug#523028: php5: multiple vulnerabilities
Michael S. Gilbert
michael.s.gilbert at gmail.com
Tue Apr 7 23:00:41 UTC 2009
Package: php5
Severity: grave
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for php5.
CVE-2008-5814[0]:
| Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
| earlier, when display_errors is enabled, allows remote attackers to
| inject arbitrary web script or HTML via unspecified vectors. NOTE:
| because of the lack of details, it is unclear whether this is related
| to CVE-2006-0208.
CVE-2009-0754[1]:
| PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows
| local users to modify behavior of other sites hosted on the same web
| server by modifying the mbstring.func_overload setting within
| .htaccess, which causes this setting to be applied to other virtual
| hosts on the same server.
Please coordinate with the security team to prepare updated packages
for the stable releases.
There is more info in the redhat security alert [2].
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814
http://security-tracker.debian.net/tracker/CVE-2008-5814
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754
http://security-tracker.debian.net/tracker/CVE-2009-0754
[2] http://lwn.net/Articles/327524/
More information about the pkg-php-maint
mailing list