Several remote vulnerabilities have been discovered in the PHP 5
hypertext preprocessor. The Common Vulnerabilities and Exposures
project identifies the following problems.
The following four vulnerabilities have already been fixed in the stable
(lenny) version of php5 prior to the release of lenny. This update now
addresses them for etch (oldstable) as well:
- CVE-2008-2107 / CVE-2008-2108
The GENERATE_SEED macro has several problems that make predicting
generated random numbers easier, facilitating attacks against measures
that use rand() or mt_rand() as part of a protection.
- CVE-2008-5557
A buffer overflow in the mbstring extension allows attackers to execute
arbitrary code via a crafted string containing an HTML entity.
- CVE-2008-5624
The page_uid and page_gid variables are not correctly set, allowing
use of some functionality intended to be restricted to root.
- CVE-2008-5658
Directory traversal vulnerability in the ZipArchive::extractTo function
allows attackers to write arbitrary files via a ZIP file with a file
whose name contains … (dot dot) sequences.
This update also addresses the following three vulnerabilities for both
oldstable (etch) and stable (lenny):
- CVE-2008-5814
Cross-site scripting (XSS) vulnerability, when display_errors is enabled,
allows remote attackers to inject arbitrary web script or HTML.
- CVE-2009-0754
When running on Apache, PHP allows local users to modify behavior of
other sites hosted on the same web server by modifying the
mbstring.func_overload setting within .htaccess, which causes this
setting to be applied to other virtual hosts on the same server.
- CVE-2009-1271
The JSON_parser function allows a denial of service (segmentation fault)
via a malformed string to the json_decode API function.
Furthermore, two updates originally scheduled for the next point update for
oldstable are included in the etch package:
- Let PHP use the system timezone database instead of the embedded
timezone database which is out of date.
- From the source tarball, the unused ‘dbase’ module has been removed
which contained licensing problems.
For the old stable distribution (etch), these problems have been fixed in
version 5.2.0+dfsg-8+etch15.
For the stable distribution (lenny), these problems have been fixed in
version 5.2.6.dfsg.1-1+lenny3.
For the unstable distribution (sid), these problems have been fixed in
version 5.2.9.dfsg.1-1.
We recommend that you upgrade your php5 package.