Latest php releases fixed two security issues. Updates are already in the tree, but it seems no security bug is open and no stabilization is going on. php-team, can we stabilize 5.3.14?
Thanks, Hanno. @php, ok to stabilize 5.3.14?
Please go ahead
Arches, please test and mark stable: =dev-lang/php-5.3.14 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
x86 stable
amd64 stable
Stable for HPPA.
arm stable
alpha/ia64/s390/sh/sparc stable
ppc done
CVE-2012-2386 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2386): Integer overflow in the phar_parse_tarfile function in tar.c in the phar extension in PHP before 5.3.14 and 5.4.x before 5.4.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted tar file that triggers a heap-based buffer overflow.
ppc64 will continue in bug 427354
CVE-2012-3450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3450): pdo_sql_parser.re in the PDO extension in PHP before 5.3.14 and 5.4.x before 5.4.4 does not properly determine the end of the query string during parsing of prepared statements, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted parameter value.
Thanks, everyone. Adding to existing GLSA request.
This issue was resolved and addressed in GLSA 201209-03 at http://security.gentoo.org/glsa/glsa-201209-03.xml by GLSA coordinator Sean Amoss (ackle).