Need to upgrade apache2 and php5 for security reasons

Scott Kitterman ubuntu at
Wed Jul 2 20:06:00 UTC 2008

On Wednesday 02 July 2008 15:10, Daniel Hahler wrote:
> Christian Desrochers wrote:
> > Our web servers have been checked recently by an external security firm.
> > We have been told that our web servers need to be upgraded to the latest
> > version in order to fix some security issues.
> The changelog for PHP 5.2.6 lists:
>     *  Fixed possible stack buffer overflow in the FastCGI SAPI
> identified by Andrei Nigmatulin.
>     * Fixed integer overflow in printf() identified by Maksymilian
> Aciemowicz.
>     * Fixed security issue detailed in CVE-2008-0599 identified by Ryan
> Permeh.
>     * Fixed a safe_mode bypass in cURL identified by Maksymilian
> Arciemowicz.
>     * Properly address incomplete multibyte chars inside
> escapeshellcmd() identified by Stefan Esser.
>     * Upgraded bundled PCRE to version 7.6
> ..and there hasn't been any upload to *-security for this (AFAICS).
> Previously I was using PHP from CVS (branch PHP_5_2) and updated that
> from time to time, following the CVS commits.
> On a new server I'm using the official packages, but have backported the
> package from Debian unstable (and/or Intrepid) to include all the fixes.
> I think it would make a lot of sense to request a backport for PHP (for
> Dapper, Gutsy and Hardy; see
> Still, it looks like a security update would be required, too.


It would be nice if you could file some bugs and provide some patches ...

Scott K

More information about the Ubuntu-devel-discuss mailing list