Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PHP 5.2.3 released

Published: 2007-06-01
Last Updated: 2007-06-01 08:20:25 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

PHP released PHP version 5.2.3.

From the release notes following security improvements have been made:

  • Fixed an integer overflow inside chunk_split() (CVE-2007-2872)
  • Fixed possible infinite loop in imagecreatefrompng. (CVE-2007-2756)
  • Fixed ext/filter Email Validation Vulnerability (CVE-2007-1900)
  • Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath ())
  • Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
  • Added mysql_set_charset() to allow runtime altering of connection encoding.

Take care with the fixes not listed as security related as there seem to be at least a few of them that are interesting from either a security application point of view, or just from an availability point of view. E.g.:

  • Fixed bug #41353 (crash in openssl_pkcs12_read() on invalid input)
  • Fixed bug #41347 (checkdnsrr() segfaults on empty hostname)

If you are on the 5.2 branch best to upgrade ASAP to 5.2.3 .

While recompiling and testing PHP, consider adding in Suhosin from the hardened PHP project, it'll improve your security stance.

--
Swa Frantzen -- NET2S

Keywords:
0 comment(s)
Diary Archives