php4

Several remote vulnerabilities have been discovered in PHP, a
server-side, HTML-embedded scripting language, which may lead to the
execution of arbitrary code. The Common Vulnerabilities and Exposures
project identifies the following problems:

• CVE-2007-1286
  Stefan Esser discovered an overflow in the object reference handling
  code of the unserialize() function, which allows the execution of
  arbitrary code if malformed input is passed from an application.
• CVE-2007-1380
  Stefan Esser discovered that the session handler performs
  insufficient validation of variable name length values, which allows
  information disclosure through a heap information leak.
• CVE-2007-1521
  Stefan Esser discovered a double free vulnerability in the
  session_regenerate_id() function, which allows the execution of
  arbitrary code.
• CVE-2007-1711
  Stefan Esser discovered a double free vulnerability in the session
  management code, which allows the execution of arbitrary code.
• CVE-2007-1718
  Stefan Esser discovered that the mail() function performs
  insufficient validation of folded mail headers, which allows mail
  header injection.
• CVE-2007-1777
  Stefan Esser discovered that the extension to handle ZIP archives
  performs insufficient length checks, which allows the execution of
  arbitrary code.

For the oldstable distribution (sarge) these problems have been fixed in
version 4.3.10-20.

For the stable distribution (etch) these problems have been fixed
in version 4.4.4-8+etch2.

For the unstable distribution (sid) these problems have been fixed in
version 4.4.6-1. php4 will be removed from sid; thus you are strongly
advised to migrate to php5 if you prefer to follow the unstable
distribution.

We recommend that you upgrade your PHP packages. Packages for the arm,
m68k, mips and mipsel architectures are not yet available. They will be
provided later.