[php-maint] new php5 packages for stable-security
seanius at debian.org
Sat Jun 30 23:53:02 UTC 2007
to follow up on this morning's mail, i've now uploaded a new security update
for php5 to the pub security upload queue. this update fixes
CVE-2007-1399/MOPB-16, which managed to slip through the mess of mopb fun
from earlier updates.
text from CVE-2007-1399:
Stack-based buffer overflow in the zip:// URL wrapper in PECL ZIP 1.8.3 and
earlier, as bundled with PHP 5.2.0 and 5.2.1, allows remote attackers to
execute arbitrary code via a long zip:// URL, as demonstrated by actively
triggering URL access from a remote PHP interpreter via avatar upload or
also in this update is a fix to a regression in single quoting introduced by
the php team's original fix for one of the previous CVE's. in #422567
someone was kind enough to dig up a fix, which has been tested and verified
by a number of submitters. at the time i didn't realize it was a regression
in the security update and instead thought it was just general breakage in
php, so i threw an upload with the fix at stable p-u, which was accepted, in
case you're curious after reading the changelog or wondering where the
previous version is when you go to debdiff.
anyway, please let me know if you need any more information.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20070701/6af33416/attachment.pgp
More information about the pkg-php-maint