Debian Security Advisory DSA-3074-2 firstname.lastname@example.org http://www.debian.org/security/ Yves-Alexis Perez November 19, 2014 http://www.debian.org/security/faq
Package : php5
The previous update for php5, DSA-3074-1, introduced regression in the sessionclean cron script. The change was intended to fix a potential symlink attack using filenames including the NULL character (Debian bug
This update reverts the fix, so people are advised to keep kernel symlink protection (sysctl fs.protected_symlinks=1) enabled as it is by default on Wheezy, which is enough to prevent successful exploitation.
For the stable distribution (wheezy), this problem has been fixed in version 5.4.35-0+deb7u2.
We recommend that you upgrade your php5 packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: email@example.com