[Secure-testing-team] php 5.2.6 Security Fixes
Moritz Naumann
bugs.debian.org at moritz-naumann.com
Tue May 6 10:16:25 UTC 2008
Package: php5
Version: 5.2.0-8+etch10
Tags: security, upstream, fixed-upstream, etch, lenny
http://www.php.net/ChangeLog-5.php lists several security fixes which are
included in upstream PHP 5.2.6:
* Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei
Nigmatulin)
--> CVE-2008-2050 (acc. to
http://marc.info/?l=oss-security&m=120974347717937)
--> not tracked by Debian yet
* Properly address incomplete multibyte chars inside escapeshellcmd()
(Ilia, Stefan Esser)
--> CVE-2008-2051 (acc. to
http://marc.info/?l=oss-security&m=120974347717937)
--> not tracked yet
* Fixed security issue detailed in CVE-2008-0599. (Rasmus)
--> CVE-2008-0599 (acc. to http://www.php.net/ChangeLog-5.php)
--> already tracked at
http://security-tracker.debian.net/tracker/CVE-2008-0599
* Fixed a safe_mode bypass in cURL identified by Maksymilian
Arciemowicz. (Ilia)
--> CVE-2007-4850 (acc. to
http://securityreason.com/achievement_securityalert/51)
--> already tracked at
http://security-tracker.debian.net/tracker/CVE-2007-4850
--> missing source package reference at
http://security-tracker.debian.net/tracker/source-package/php5
* Upgraded PCRE to version 7.6 (Nuno)
--> CVE-2008-0674 (best match, no reference found)
--> not tracked yet
--> possibly missing reference at
http://security-tracker.debian.net/tracker/CVE-2008-0674
(but should really be tracked seperately)
--> local code execution through buffer overflow
CC to team at security.debian.org: contains info on security issues not fixed
in Debian Stable
CC to secure-testing-team: contains info on security issues not fixed in
Debian Testing
CC to debian-security-tracker: contains info on missing cross references on
security-tracker.d~.n~
More information about the Secure-testing-team
mailing list