-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le Mon, 4 May 2009 22:57:57 +0200 (CEST), Thijs Kinkhorst <[email protected]> a écrit :
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - > ------------------------------------------------------------------------ > Debian Security Advisory DSA-1789-1 > [email protected] > http://www.debian.org/security/ Thijs > Kinkhorst May 04, 2009 > http://www.debian.org/security/faq > - > ------------------------------------------------------------------------ > > Package : php5 > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2008-2107 CVE-2008-2108 CVE-2008-5557 > CVE-2008-5624 CVE-2008-5658 CVE-2008-5814 CVE-2009-0754 CVE-2009-1271 > Debian Bugs : 507101 507857 508021 511493 523028 523049 > > Several remote vulnerabilities have been discovered in the PHP 5 > hypertext preprocessor. The Common Vulnerabilities and Exposures > project identifies the following problems. > > The following four vulnerabilities have already been fixed in the > stable (lenny) version of php5 prior to the release of lenny. This > update now addresses them for etch (oldstable) aswell: > > > CVE-2008-5658 > > Directory traversal vulnerability in the ZipArchive::extractTo > function allows attackers to write arbitrary files via a ZIP file > with a file whose name contains .. (dot dot) sequences. > Hi, It seems that there were some side effects. Since the upgrade we've PHP crashes with: *** glibc detected *** double free or corruption (fasttop): 0x08718200 *** The crash occurs inside the extractTo function, please tell me if you need any additional information. Regards Sébastien -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoBUPYACgkQd0QYNjAhJByo1ACfXa19m4icUAwVhtUd+/M+Z7J5 r+QAnRCLhvY1tfcsSqfKiXAW/OAEvXGn =ThD4 -----END PGP SIGNATURE-----
