Lexa Software: Security-Alerts@yandex-team.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: Security-alerts

Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: PHP 5.2.1 Release Announcement

To: <security-alerts@xxxxxxxxxxxxxx>
Subject: [security-alerts] FYI: PHP 5.2.1 Release Announcement
From: "Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>
Date: Fri, 9 Feb 2007 12:48:02 +0300
Content-class: urn:content-classes:message
List-archive: <http://www.lexa.ru/security-alerts/> (Web Archive)
List-id: <security-alerts.yandex-team.ru>
List-subscribe: <mailto:majordomo@yandex-team.ru?body=subscribe%20security-alerts>
List-unsubscribe: <mailto:majordomo@yandex-team.ru?body=unsubscribe%20security-alerts>
Thread-index: AcdML2OvaRIhJ6acT/CZZqQRzkCnmg==
Thread-topic: FYI: PHP 5.2.1 Release Announcement


http://www.php.net/releases/5_2_1.php

PHP 5.2.1 Release Announcement

The PHP development team would like to announce the immediate
availability of PHP 5.2.1. This release is a major stability and
security enhancement of the 5.X branch, and all users are strongly
encouraged to upgrade to it as soon as possible.

Security Enhancements and Fixes in PHP 5.2.1:

    * Fixed possible safe_mode & open_basedir bypasses inside the
session extension.
    * Prevent search engines from indexing the phpinfo() page.
    * Fixed a number of input processing bugs inside the filter
extension.
    * Fixed unserialize() abuse on 64 bit systems with certain input
strings.
    * Fixed possible overflows and stack corruptions in the session
extension.
    * Fixed an underflow inside the internal sapi_header_op() function.
    * Fixed allocation bugs caused by attempts to allocate negative
values in some code paths.
    * Fixed possible stack overflows inside zip, imap & sqlite
extensions.
    * Fixed several possible buffer overflows inside the stream filters.
    * Fixed non-validated resource destruction inside the shmop
extension.
    * Fixed a possible overflow in the str_replace() function.
    * Fixed possible clobbering of super-globals in several code paths.
    * Fixed a possible information disclosure inside the wddx extension.
    * Fixed a possible string format vulnerability in *print() functions
on 64 bit systems.
    * Fixed a possible buffer overflow inside mail() and
ibase_{delete,add,modify}_user() functions.
    * Fixed a string format vulnerability inside the odbc_result_all()
function.
    * Memory limit is now enabled by default.
    * Added internal heap protection.
    * Extended filter extension support for $_SERVER in CGI and apache2
SAPIs.

The majority of the security vulnerabilities discovered and resolved can
in most cases be only abused by local users and cannot be triggered
remotely. However, some of the above issues can be triggered remotely in
certain situations, or exploited by malicious local users on shared
hosting setups utilizing PHP as an Apache module. Therefore, we strongly
advise all users of PHP, regardless of the version to upgrade to 5.2.1
release as soon as possible. PHP 4.4.5 with equivalent security
corrections will be available shortly.

Prev by Date: [security-alerts] FW: [SA24087] Trend Micro Products UPX Processing Buffer Overflow Vulnerability
Next by Date: [security-alerts] Fwd: [Full-disclosure] "0day was the case that they gave me"
Previous by thread: [security-alerts] FW: [SA24087] Trend Micro Products UPX Processing Buffer Overflow Vulnerability
Next by thread: [security-alerts] Fwd: [Full-disclosure] "0day was the case that they gave me"
Index(es):
- Date
- Thread