2015-05-21 - 0.9.38 - removed code compatibility for PHP <5.4 (lots of code + ifdefs) - allow https location for suhosin.filter.action - fixed newline detection for suhosin.mail.protect - Added suhosin.upload.max_newlines to protect againt DOS attack via many MIME headers in RFC1867 uploads (CVE-2015-4024) - mail related test cases now work on linux
Arches, please mark stable Target keywords: dev-php/suhosin-0.9.38 alpha amd64 arm hppa ia64 sparc x86 Note: Upstream acknowledges these tests fail on php 5.4 [1] So please expect these tests to fail. Testing: suhosin.executor.eval.blacklist=max [tests/executor/eval_blacklist.phpt] Testing: suhosin.executor.eval.blacklist=printf via call_user_func [tests/executor/eval_blacklist_printf.phpt] Testing: suhosin.executor.eval.whitelist=printf via call_user_func [tests/executor/eval_whitelist_call_user_func.phpt] Testing: suhosin.executor.func.blacklist=printf [tests/executor/function_blacklist_printf.phpt] Testing: suhosin.executor.func.whitelist=call_user_func [tests/executor/function_whitelist_call_user_func.phpt] [1] https://github.com/stefanesser/suhosin/issues/68
Stable for HPPA.
amd64 stable
x86 stable
CVE-2015-4024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-4024): Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome.
sparc stable
arm stable
alpha stable
ia64 stable cleanup please! GLSA vote: no.
GLSA Vote: No
Cleanup done. + 22 Jul 2015; Brian Evans <grknight@gentoo.org> -suhosin-0.9.37.1.ebuild: + Remove security vulnerable version
(In reply to Brian Evans from comment #11) > Cleanup done. > + 22 Jul 2015; Brian Evans <grknight@gentoo.org> -suhosin-0.9.37.1.ebuild: > + Remove security vulnerable version Thanks for cleanup