User: Password:
Subscribe / Log in / New account

Fedora alert FEDORA-2010-18976 (php)

Subject:  [SECURITY] Fedora 14 Update: php-5.3.4-1.fc14.1
Date:  Tue, 04 Jan 2011 20:55:36 +0000
Message-ID:  <>
Archive-link:  Article, Thread

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-18976 2010-12-17 07:51:56 -------------------------------------------------------------------------------- Name : php Product : Fedora 14 Version : 5.3.4 Release : 1.fc14.1 URL : Summary : PHP scripting language for creating dynamic web sites Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The php package contains the module which adds support for the PHP language to Apache HTTP Server. -------------------------------------------------------------------------------- Update Information: Security Enhancements and Fixes in PHP 5.3.4: * Fixed crash in zip extract method (possible CWE-170). * Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243). * Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). * Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). * Fixed possible flaw in open_basedir (CVE-2010-3436). * Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950). * Fixed symbolic resolution support when the target is a DFS share. * Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710). Key Bug Fixes in PHP 5.3.4 include: * Added stat support for zip stream. * Added follow_location (enabled by default) option for the http stream support. * Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. * Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime. Full upstream Changelog : This update also provides php-eaccelerator and maniadrive packages rebuild against update php. -------------------------------------------------------------------------------- ChangeLog: * Sun Dec 12 2010 Remi Collet <> 5.3.4-1.1 - security patch from upstream for #660517 * Sat Dec 11 2010 Remi Collet <> 5.3.4-1 - update to 5.3.4 - move phpize to php-cli (see #657812) -------------------------------------------------------------------------------- References: [ 1 ] Bug #649056 - CVE-2010-3870 php: XSS mitigation bypass via utf8_decode() [ 2 ] Bug #651206 - CVE-2010-3709 php: NULL pointer dereference in ZipArchive::getArchiveComment [ 3 ] Bug #651682 - CVE-2010-4156 php information disclosure via mb_strcut() [ 4 ] Bug #652836 - CVE-2009-5016 php: XSS and SQL injection bypass via crafted overlong UTF-8 encoded string [ 5 ] Bug #660382 - CVE-2010-4409 php: getSymbol() integer overflow vulnerability [ 6 ] Bug #656917 - CVE-2010-4150 php: Double free in the imap extension [ 7 ] Bug #646684 - CVE-2010-3710 php: DoS in filter_var() via long email string -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update php' at the command line. For more information, refer to "Managing Software with yum", available at All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds