On Wed, Jul 02, 2008 at 04:06:00PM -0400, Scott Kitterman wrote: > On Wednesday 02 July 2008 15:10, Daniel Hahler wrote: > > Christian Desrochers wrote: > > > Our web servers have been checked recently by an external security firm. > > > We have been told that our web servers need to be upgraded to the latest > > > version in order to fix some security issues. > > > > The changelog for PHP 5.2.6 lists: > > * Fixed possible stack buffer overflow in the FastCGI SAPI > > identified by Andrei Nigmatulin. > > * Fixed integer overflow in printf() identified by Maksymilian > > Aciemowicz. > > * Fixed security issue detailed in CVE-2008-0599 identified by Ryan > > Permeh. > > * Fixed a safe_mode bypass in cURL identified by Maksymilian > > Arciemowicz. > > * Properly address incomplete multibyte chars inside > > escapeshellcmd() identified by Stefan Esser. > > * Upgraded bundled PCRE to version 7.6 > > > > ..and there hasn't been any upload to *-security for this (AFAICS). > > > > Previously I was using PHP from CVS (branch PHP_5_2) and updated that > > from time to time, following the CVS commits. > > > > On a new server I'm using the official packages, but have backported the > > package from Debian unstable (and/or Intrepid) to include all the fixes. > > > > I think it would make a lot of sense to request a backport for PHP (for > > Dapper, Gutsy and Hardy; see > > https://help.ubuntu.com/community/UbuntuBackports). > > > > Still, it looks like a security update would be required, too. > > Daniel, > > It would be nice if you could file some bugs and provide some patches ...
Hmm - this is all discussed in 227464: https://bugs.edge.launchpad.net/ubuntu/+source/php5/+bug/227464 Fixed in Intrepid, and progress is being made on good patches for a security update. A debdiff is available: https://bugs.edge.launchpad.net/ubuntu/+source/php5/+bug/227464/comments/15 and a ppa version for Hardy in https://edge.launchpad.net/~tormodvolden/+archive Which all goes to show that searching the bug database first, or early on in the conversation, would avoid a lot of messages.... Neal McBurnett http://mcburnett.org/neal/ -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss