Re: php vulnerability

To: Chad Adlawan <tsadi.a@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: php vulnerability
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 18 Dec 2004 23:43:39 +0100
Message-id: <[🔎] 87zn0b1b38.fsf@deneb.enyo.de>
In-reply-to: <[🔎] 81cd136b04121807271316c332@mail.gmail.com> (Chad Adlawan's message of "Sat, 18 Dec 2004 23:27:32 +0800")
References: <[🔎] 81cd136b04121807271316c332@mail.gmail.com>

* Chad Adlawan:

> Re the PHP bugs announced by the Hardened-PHP Project
> (http://www.hardened-php.net/advisories/012004.txt).

This is very likely not the whole story.  According to the PHP 4.3.10
release announcement, additional bugs were fixed.  The following
vulnerabilities are only mentioned in the 4.3.10 release notes:

CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1020 - addslashes() not escaping \0 correctly.
CAN-2004-1065 - exif_read_data() overflow on long sectionname.
magic_quotes_gpc could lead to one level directory traversal with file uploads.

> Is the php4 package in Debian stable affected?

Not sure.  Upstream's security support seems to be suboptimal.

Reply to:

Follow-Ups:
- Re: php vulnerability
  - From: saravanan ganapathy <sarav_gsa@yahoo.com>

References:
- php vulnerability
  - From: Chad Adlawan <tsadi.a@gmail.com>

Prev by Date: php vulnerability
Next by Date: php vulnerabilities
Previous by thread: php vulnerability
Next by thread: Re: php vulnerability
Index(es):
- Date
- Thread