[php-maint] Bug#523028: php5: multiple vulnerabilities

Michael S. Gilbert michael.s.gilbert at gmail.com
Tue Apr 7 23:00:41 UTC 2009

Package: php5
Severity: grave
Tags: security

the following CVE (Common Vulnerabilities & Exposures) ids were
published for php5.

| Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
| earlier, when display_errors is enabled, allows remote attackers to
| inject arbitrary web script or HTML via unspecified vectors.  NOTE:
| because of the lack of details, it is unclear whether this is related
| to CVE-2006-0208.

| PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows
| local users to modify behavior of other sites hosted on the same web
| server by modifying the mbstring.func_overload setting within
| .htaccess, which causes this setting to be applied to other virtual
| hosts on the same server.

Please coordinate with the security team to prepare updated packages
for the stable releases.

There is more info in the redhat security alert [2].

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754
[2] http://lwn.net/Articles/327524/

More information about the pkg-php-maint mailing list