Debian Security Advisory DSA-2408-1 email@example.com http://www.debian.org/security/ Moritz Muehlenhoff February 13, 2012 http://www.debian.org/security/faq
Package : php5 Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2011-1072 CVE-2011-4153 CVE-2012-0781 CVE-2012-0788 CVE-2012-0831
Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues:
It was discoverd that insecure handling of temporary files in the PEAR installer could lead to denial of service.
Maksymilian Arciemowicz discovered that a NULL pointer dereference in the zend_strndup() function could lead to denial of service.
Maksymilian Arciemowicz discovered that a NULL pointer dereference in the tidy_diagnose() function could lead to denial of service.
It was discovered that missing checks in the handling of PDORow objects could lead to denial of service.
It was discovered that the magic_quotes_gpc setting could be disabled remotely
This update also addresses PHP bugs, which are not treated as security issues in Debian (see README.Debian.security), but which were fixed nonetheless: CVE-2010-4697, CVE-2011-1092, CVE-2011-1148, CVE-2011-1464, CVE-2011-1467 CVE-2011-1468, CVE-2011-1469, CVE-2011-1470, CVE-2011-1657, CVE-2011-3182 CVE-2011-3267
For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze8.
For the unstable distribution (sid), this problem has been fixed in version 5.3.10-1.
We recommend that you upgrade your php5 packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/
Mailing list: firstname.lastname@example.org