It seems that all versions of PHP < 5.3.1 seem to have a critical vulnerability to remote attacks. See provided URL. Reproducible: Always
We need a 5.3 ebuild, and maybe also a backport? PHP herd, what's your opinion on this? I cannot confirm crashes or a hanging apache on Gentoo, Debian and a version I self-compiled. The load just increases to something like ~12 but not further, no swapping or OOM-killing happens, it's just harddisk I/O. On a system with a fast SSD, I can't see any increase in the load, but I haven't tweaked the parameters yet.
CVE-2009-4017 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4017): PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive.
Fixed in 5.2.12.
Arches, please test and mark stable: =dev-lang/php-5.2.12 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
ppc64 done
x86 stable
Stable for HPPA.
amd64/arm stable
Stable on alpha.
CVE-2009-4142 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4142): The htmlspecialchars function in PHP before 5.2.12 does not properly handle (1) overlong UTF-8 sequences, (2) invalid Shift_JIS sequences, and (3) invalid EUC-JP sequences, which allows remote attackers to conduct cross-site scripting (XSS) attacks by placing a crafted byte sequence before a special character. CVE-2009-4143 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4143): PHP before 5.2.12 does not properly handle session data, which has unspecified impact and attack vectors related to (1) interrupt corruption of the SESSION superglobal array and (2) the session.save_path directive.
Marked ppc stable.
ia64/s390/sh/sparc stable
GLSA 201001-03. Thank you everyone, sorry about the delay.