php-5.2.5 was "released" (well, the tarball was created, but it was only made public on Oct 09/10th) on Nov 08th. All important security fixes from the announcement are already fixed in php-5.2.4_p20070914-r2, but some crash bugs (which upstream apparently does not to consider to be "security issues"...) have been fixed meanwhile : * Fixed bug #43196 (array_intersect_assoc() crashes with non-array input). (Jani) * Fixed bug #42976 (Crash when constructor for newInstance() or newInstanceArgs() fails) (Ilia) * Fixed bug #42703 (Exception raised in an iterator::current() causes segfault in FilterIterator) (Marcus) (might well be possible i missed some) This release also has some fixes which may be security-related, but I have too little C knowledge to judge that (commit messages were saying nothing which would be understandable by an outside -- "fix coverity issue #1234"...). Maybe there a crash issues fixed by those commits as well or it even allows for local code execution (which would mean by-passing safe_mode/open_basedir etc.) All in all, we've probably never had any php release with less security improvements for us. :) php-5.2.5 has been in the tree since yesterday evening and is unmasked as of today.
Thx Christian. Is this one ready for stable marking?
Arches, please test and mark stable dev-lang/php-5.2.5. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" Setting B3 as the vulnerabilities only seem to be Denial of Service and bypass of basedir.
x86 stable
alpha/ia64/sparc stable
Stable for HPPA.
ppc64 stable
Works well on amd64, please mark stable Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.19-rc1-git3 x86_64) ================================================================= System uname: 2.6.19-rc1-git3 x86_64 AMD Opteron(tm) Processor 842 Timestamp of tree: Tue, 13 Nov 2007 00:02:01 +0000 app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r1 sys-devel/automake: 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=opteron -O2 -fomit-frame-pointer -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=opteron -O2 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acl amd64 berkdb bitmap-fonts cli cracklib crypt cups dri fortran gdbm gpm iconv ipv6 isdnlog midi mmx mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vim-syntax xorg zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
ppc stable
Stable for AMD64.
GLSA vote now open. I tend to vote no.
http://secunia.com/advisories/27648/
CVE assigned these new identifiers: CVE-2007-5898 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5898): The (1) htmlentities and (2) htmlspecialchars functions in PHP before 5.2.5 accept partial multibyte sequences, which has unknown impact and attack vectors, a different issue than CVE-2006-5465. CVE-2007-5899 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5899): The output_add_rewrite_var function in PHP before 5.2.5 rewrites local forms in which the ACTION attribute references a non-local URL, which allows remote attackers to obtain potentially sensitive information by reading the requests for this URL, as demonstrated by a rewritten form containing a local session ID. CVE-2007-5900 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5900): PHP before 5.2.5 allows local users to bypass protection mechanisms configured through php_admin_value or php_admin_flag in httpd.conf by using ini_set to modify arbitrary configuration variables, a different issue than CVE-2006-4625.
I vote NO.
I vote no - nothing critical here.
Two NO votes -> closing.