-
php4 (4:4.4.0-3ubuntu2) breezy-security; urgency=low
* SECURITY UPDATE: multiple fixes backported from 5.1.2 and CVS:
- Fix multiple HTTP response splitting vulnerabilities in sessions and
the header() function, due to lack of input validation; CVE-2006-0207
+ Add safety checks in the header() function to make sure that we
don't get newlines injected by (mis)use of user input in headers.
+ Add a check for invalid characters in session names, so that we
aren't subject to HTTP response splitting vulnerabilities in
the Set-Cookie header we send back out as a result of user input.
- Filter HTML error reporting, preventing cross-site scripting attacks
when both display_errors and html_errors are enabled; CVE-2006-0208
-- Adam Conrad <email address hidden> Wed, 8 Mar 2006 17:50:13 +1100
-
php4 (4:4.4.0-3ubuntu1) breezy-security; urgency=low
* SECURITY UPDATE: multiple fixes backported from new upstream releases:
- Resolves a local denial of service in the apache2 SAPI, which can
be triggered by using session.save_path in .htaccess; CVE-2005-3319
- Resolves an infinite loop in the exif_read_data function which can
be triggered with a specially-crafted JPEG image; CVE-2005-3353
- Resolves an XSS vulnerability in the phpinfo function; CVE-2005-3388
- Resolves a vulnerability in the parse_str function whereby a remote
attacker can fool PHP into turning on register_globals, thus making
applications vulnerable to global variable injections; CVE-2005-3389
- Resolves a vulnerability in the RFC1867 file upload feature where, if
register_globals is enabled, a remote attacker can modify the GLOBALS
array with a multipart/form-data POST request; see CVE-2005-3390
- Resolves numerous safe_mode and open_basedir bypasses; CVE-2005-3391
- Resolves INI settings leaks in the apache2 SAPI, leading to safe_mode
and open_basedir bypasses between virtual hosts; CVE-2005-3392
- Resolves a CRLF injection vulnerability in the mb_send_mail function,
allowing injection of arbitrary mail headers; see CVE-2005-3883
-- Adam Conrad <email address hidden> Mon, 19 Dec 2005 16:48:53 +1100
-
php4 (4:4.4.0-3) unstable; urgency=low
* Remove Andres Salomon from the Uploaders field, at his request. Thanks
for all your work on the PHP packages, Andres, now fix our kernel bugs.
* Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
is set to "/foo/", users can access files in "/foobar/", which is not the
documented behaviour; this addresses CAN-2005-3054 (closes: #323585)
* Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode
checks to the _php_image_output and _php_image_output_ctx GD functions.
-- Adam Conrad <adconrad@0c3.net> Tue, 27 Sep 2005 16:12:05 +1000
