Re: php vulnerability
* Chad Adlawan:
> Re the PHP bugs announced by the Hardened-PHP Project
This is very likely not the whole story. According to the PHP 4.3.10
release announcement, additional bugs were fixed. The following
vulnerabilities are only mentioned in the 4.3.10 release notes:
CAN-2004-1018 - shmop_write() out of bounds memory write access.
CAN-2004-1020 - addslashes() not escaping \0 correctly.
CAN-2004-1065 - exif_read_data() overflow on long sectionname.
magic_quotes_gpc could lead to one level directory traversal with file uploads.
> Is the php4 package in Debian stable affected?
Not sure. Upstream's security support seems to be suboptimal.