php5 - several vulnerabilities

Several remote vulnerabilities have been discovered in the PHP 5
hypertext preprocessor. The Common Vulnerabilities and Exposures
project identifies the following problems.

The following four vulnerabilities have already been fixed in the stable
(lenny) version of php5 prior to the release of lenny. This update now
addresses them for etch (oldstable) as well:

• CVE-2008-2107 / CVE-2008-2108
  The GENERATE_SEED macro has several problems that make predicting
  generated random numbers easier, facilitating attacks against measures
  that use rand() or mt_rand() as part of a protection.
• CVE-2008-5557
  A buffer overflow in the mbstring extension allows attackers to execute
  arbitrary code via a crafted string containing an HTML entity.
• CVE-2008-5624
  The page_uid and page_gid variables are not correctly set, allowing
  use of some functionality intended to be restricted to root.
• CVE-2008-5658
  Directory traversal vulnerability in the ZipArchive::extractTo function
  allows attackers to write arbitrary files via a ZIP file with a file
  whose name contains … (dot dot) sequences.

This update also addresses the following three vulnerabilities for both
oldstable (etch) and stable (lenny):

• CVE-2008-5814
  Cross-site scripting (XSS) vulnerability, when display_errors is enabled,
  allows remote attackers to inject arbitrary web script or HTML.
• CVE-2009-0754
  When running on Apache, PHP allows local users to modify behavior of
  other sites hosted on the same web server by modifying the
  mbstring.func_overload setting within .htaccess, which causes this
  setting to be applied to other virtual hosts on the same server.
• CVE-2009-1271
  The JSON_parser function allows a denial of service (segmentation fault)
  via a malformed string to the json_decode API function.

Furthermore, two updates originally scheduled for the next point update for
oldstable are included in the etch package:

• Let PHP use the system timezone database instead of the embedded
  timezone database which is out of date.
• From the source tarball, the unused ‘dbase’ module has been removed
  which contained licensing problems.

For the old stable distribution (etch), these problems have been fixed in
version 5.2.0+dfsg-8+etch15.

For the stable distribution (lenny), these problems have been fixed in
version 5.2.6.dfsg.1-1+lenny3.

For the unstable distribution (sid), these problems have been fixed in
version 5.2.9.dfsg.1-1.

We recommend that you upgrade your php5 package.