On Wednesday 02 July 2008 15:10, Daniel Hahler wrote: > Christian Desrochers wrote: > > Our web servers have been checked recently by an external security firm. > > We have been told that our web servers need to be upgraded to the latest > > version in order to fix some security issues. > > The changelog for PHP 5.2.6 lists: > * Fixed possible stack buffer overflow in the FastCGI SAPI > identified by Andrei Nigmatulin. > * Fixed integer overflow in printf() identified by Maksymilian > Aciemowicz. > * Fixed security issue detailed in CVE-2008-0599 identified by Ryan > Permeh. > * Fixed a safe_mode bypass in cURL identified by Maksymilian > Arciemowicz. > * Properly address incomplete multibyte chars inside > escapeshellcmd() identified by Stefan Esser. > * Upgraded bundled PCRE to version 7.6 > > ..and there hasn't been any upload to *-security for this (AFAICS). > > Previously I was using PHP from CVS (branch PHP_5_2) and updated that > from time to time, following the CVS commits. > > On a new server I'm using the official packages, but have backported the > package from Debian unstable (and/or Intrepid) to include all the fixes. > > I think it would make a lot of sense to request a backport for PHP (for > Dapper, Gutsy and Hardy; see > https://help.ubuntu.com/community/UbuntuBackports). > > Still, it looks like a security update would be required, too.
Daniel, It would be nice if you could file some bugs and provide some patches ... Scott K -- Ubuntu-devel-discuss mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
