Looks like I've failed and have never filed a bug for the security-relevant fixes which have been introduced in php-5.2.8-r2. So here we go: #1 015_json_decode-crash.patch (CVE-2009-1271) Further references: [1] [2] Impact: Local DoS (persistent php setups) #2 016_extract-crash.patch (crash in PHP's explode() function) Further references: [3] [4] [5] Impact: Local DoS (persistent php setups) Those have been fixed since 5.2.8-r2, which is already stable on all arches. So nothing to do here, just archiving purposes. [1] http://cvs.php.net/viewvc.cgi/php-src/ext/json/JSON_parser.c?r1=1.1.2.14&r2=1.1.2.15&diff_format=u [2] http://cvs.php.net/viewvc.cgi/php-src/ext/json/tests/001.phpt?r1=1.1.2.4&r2=1.1.2.5&diff_format=u [3] http://bugs.php.net/bug.php?id=46873 [4] http://cvs.php.net/viewvc.cgi/php-src/ext/standard/tests/array/bug46873.phpt?view=markup&revision=1.1 [5] http://cvs.php.net/viewvc.cgi/php-src/ext/standard/array.c?r1=1.308.2.21.2.61&r2=1.308.2.21.2.62&diff_format=u
We already have a request for bug 249875 in, so YES.
GLSA 201001-03. Thank you everyone, sorry about the delay.