[ubuntu/dapper-security] php5 (delayed), php5 5.1.2-1ubuntu3.19 (Accepted)

Ubuntu Installer archive at ubuntu.com
Mon Sep 20 14:12:26 BST 2010 

php5 (5.1.2-1ubuntu3.19) dapper-security; urgency=low

  * SECURITY UPDATE: denial of service via xmlrpc crafted argument
    - debian/patches/CVE-2010-0397.patch: make sure method_name isn't empty
      in ext/xmlrpc/xmlrpc-epi-php.c, add test to
      ext/xmlrpc/tests/bug51288.phpt.
    - CVE-2010-0397
  * SECURITY UPDATE: weak entropy in Linear Congruential Generator (LCG)
    - debian/patches/CVE-2010-1128.patch: add more entropy in
      ext/standard/lcg.c.
    - CVE-2010-1128
  * SECURITY UPDATE: safe_mode bypass via trailing slash in dir pathnames
    - debian/patches/CVE-2010-1129.patch: properly validate pathname in
      ext/standard/file.c.
    - CVE-2010-1129
  * SECURITY UPDATE: arbitrary code execution via empty SQL query
    - debian/patches/CVE-2010-1868.patch: use ecalloc instead of emalloc in
      ext/sqlite/sqlite.c.
    - CVE-2010-1868
  * SECURITY UPDATE: denial of service via fnmatch stack consumption
    - debian/patches/CVE-2010-1917.patch: limit size of pattern in
      ext/standard/file.c.
    - CVE-2010-1917
  * SECURITY UPDATE: sensitive information disclosure via error messages
    - debian/patches/CVE-2010-2531.patch: don't display data when flushing
      output buffer in ext/standard/{var.c,php_var.h}.
    - CVE-2010-2531
  * SECURITY UPDATE: arbitrary session variable modification via crafted
    session variable name
    - debian/patches/CVE-2010-3065.patch: handle PS_UNDEF_MARKER marker in
      ext/session/session.c.
    - CVE-2010-3065

Date: Thu, 16 Sep 2010 10:24:44 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
https://launchpad.net/ubuntu/dapper/+source/php5/5.1.2-1ubuntu3.19
-------------- next part --------------
Format: 1.7
Date: Thu, 16 Sep 2010 10:24:44 -0400
Source: php5
Binary: php5-mysqli php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mysql php5-common php5-dev php5-snmp php5-sqlite
Architecture: source
Version: 5.1.2-1ubuntu3.19
Distribution: dapper-security
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (meta-package)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-ldap  - LDAP module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-mysqli - MySQL Improved module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Changes: 
 php5 (5.1.2-1ubuntu3.19) dapper-security; urgency=low
 .
   * SECURITY UPDATE: denial of service via xmlrpc crafted argument
     - debian/patches/CVE-2010-0397.patch: make sure method_name isn't empty
       in ext/xmlrpc/xmlrpc-epi-php.c, add test to
       ext/xmlrpc/tests/bug51288.phpt.
     - CVE-2010-0397
   * SECURITY UPDATE: weak entropy in Linear Congruential Generator (LCG)
     - debian/patches/CVE-2010-1128.patch: add more entropy in
       ext/standard/lcg.c.
     - CVE-2010-1128
   * SECURITY UPDATE: safe_mode bypass via trailing slash in dir pathnames
     - debian/patches/CVE-2010-1129.patch: properly validate pathname in
       ext/standard/file.c.
     - CVE-2010-1129
   * SECURITY UPDATE: arbitrary code execution via empty SQL query
     - debian/patches/CVE-2010-1868.patch: use ecalloc instead of emalloc in
       ext/sqlite/sqlite.c.
     - CVE-2010-1868
   * SECURITY UPDATE: denial of service via fnmatch stack consumption
     - debian/patches/CVE-2010-1917.patch: limit size of pattern in
       ext/standard/file.c.
     - CVE-2010-1917
   * SECURITY UPDATE: sensitive information disclosure via error messages
     - debian/patches/CVE-2010-2531.patch: don't display data when flushing
       output buffer in ext/standard/{var.c,php_var.h}.
     - CVE-2010-2531
   * SECURITY UPDATE: arbitrary session variable modification via crafted
     session variable name
     - debian/patches/CVE-2010-3065.patch: handle PS_UNDEF_MARKER marker in
       ext/session/session.c.
     - CVE-2010-3065
Files: 
 4e521b0cdf30fc3e1b1be7aa51df4b5e 1777 web optional php5_5.1.2-1ubuntu3.19.dsc
 14c7d4eaa9a2c9554cb6d69e675a150c 154712 web optional php5_5.1.2-1ubuntu3.19.diff.gz

More information about the dapper-changes mailing list