| Summary: | dev-lang/php-5.2.1 version bump | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Bernd Marienfeldt <bernd> |
| Component: | Vulnerabilities | Assignee: | PHP Bugs <php-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | aiwa_azca, chainsaw, holger, jan+gentoo, nakano, security, sgtphou |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.php.net/releases/5_2_1.php | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 133007, 139350, 152037, 152933, 153911, 156260 | ||
|
Description
Bernd Marienfeldt
2007-02-09 10:34:37 UTC
Would be nice to have it in portage! Also read this: http://blog.php-security.org/archives/71-Month-of-PHP-Bugs-and-PHP-5.2.1.html (Stefan Esser announcing the Month of PHP bugs) it would be really nice to have 5.2.1 in portage :) thank you This is being bumped at me by my network-admin as a security advisory. Am I going to have to write my own ebuild? Shouldn't this be a security-bug? The list of fixed security-issues in 5.2.1 is long:
Fixed possible safe_mode & open_basedir bypasses inside the session extension.
Prevent search engines from indexing the phpinfo() page.
Fixed a number of input processing bugs inside the filter extension.
Fixed unserialize() abuse on 64 bit systems with certain input strings.
Fixed possible overflows and stack corruptions in the session extension.
Fixed an underflow inside the internal sapi_header_op() function.
Fixed allocation bugs caused by attempts to allocate negative values in some code paths.
Fixed possible stack overflows inside zip, imap & sqlite extensions.
Fixed several possible buffer overflows inside the stream filters.
Fixed non-validated resource destruction inside the shmop extension.
Fixed a possible overflow in the str_replace() function.
Fixed possible clobbering of super-globals in several code paths.
Fixed a possible information disclosure inside the wddx extension.
Fixed a possible string format vulnerability in *print() functions on 64 bit systems.
Fixed a possible buffer overflow inside mail() and ibase_{delete,add,modify}_user() functions.
Fixed a string format vulnerability inside the odbc_result_all() function.
Memory limit is now enabled by default.
Added internal heap protection.
Extended filter extension support for $_SERVER in CGI and apache2 SAPIs.
Thanks Hanno, it's already handled in bug 153911 , comment #9 (In reply to comment #4) > Shouldn't this be a security-bug? The list of fixed security-issues in 5.2.1 is > long: Agree. Regards Yep, PHP 5.2.1 should be soon in Portage. Many Users want it. Umm... it's kind of urgent, I believe... any information on when we can expect to have a halfway secure PHP installation on gentoo again? http://www.golem.de/0702/50570.html Kindly stop making useless noise here, thanks. (In reply to comment #9) > Kindly stop making useless noise here, thanks. > The maintainer needs to comment on this, is really that hard to bump it or at least give a reason why it's not done yet? It's getting close to a week, I'm surprised there isn't an unstable one in yet...come on php herd. Keep this in mind http://www.securityfocus.com/bid/22505 when 5.2 is put in portage. 5.2.1 is in the php-testing overlay, please test and verify that the mentioned vulnerabilities have been patched. Lots of thanks to chtekk :) Where di I find php-testing-overlay ? dev-lang/php-5.2.1-r3 is in the tree, enjoy, with Suhosin support! Best regards, CHTEKK. thank you very much, bro! |
