Requestion version bump for dev-lang/php to version 5.2.12 ASAP since it fixes several vulnerabilities. Reproducible: Always Steps to Reproduce:
Sorry for the typo.
Is someone working on this? PHP 5.2.12 works perfecly with the old ebuild, just bump the version and upload the new patchset.
(In reply to comment #2) > Is someone working on this? Yes, I am. > PHP 5.2.12 works perfecly with the old ebuild, just > bump the version and upload the new patchset. No, it does not, at least not on ~amd64. I'm getting ld errors related to the tag PHP_5, most likely related to concurrentmodphp. I'll have to investigate. If it was working without problems, it would already be in the tree.
(In reply to comment #3) > No, it does not, at least not on ~amd64. I'm getting ld errors related to the > tag PHP_5, most likely related to concurrentmodphp. I'll have to investigate. > If it was working without problems, it would already be in the tree. I'm truly sorry, I didn't mean to be impatient. If you need any help testing, please say so. (Anyway, I was wondering why concurrentmodphp is still being kept around while FastCGI has evolved a lot and is in fact the only upstream supported way of running multiple PHP versions, but I guess, that belongs in an other thread.)
CVE-2008-7002 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7002): PHP 5.2.5 does not enforce (a) open_basedir and (b) safe_mode_exec_dir restrictions for certain functions, which might allow local users to bypass intended access restrictions and call programs outside of the intended directory via the (1) exec, (2) system, (3) shell_exec, (4) passthru, or (5) popen functions, possibly involving pathnames such as "C:" drive notation.
release announcements: http://www.php.net/archive/2009.php#id2009-12-17-1 http://www.php.net/releases/5_2_12.php
In the tree, but USE=concurrentmodphp is broken (compile failure), see bug 298969. It's not a big problem per se, because it should not be needed at the moment (noone should be using php-4 and php-6 isn't there yet). If you want you can go for stable. I will work on fixing the problem, but I cannot promise when. Certainly not this year ;)
Thank you, Christian. The bump is done, so this bug can be closed. Stabilization due to security issues is handled on the appropriate security bug (bug #293888).