Need to upgrade apache2 and php5 for security reasons
Scott Kitterman
ubuntu at kitterman.com
Wed Jul 2 20:06:00 UTC 2008
On Wednesday 02 July 2008 15:10, Daniel Hahler wrote:
> Christian Desrochers wrote:
> > Our web servers have been checked recently by an external security firm.
> > We have been told that our web servers need to be upgraded to the latest
> > version in order to fix some security issues.
>
> The changelog for PHP 5.2.6 lists:
> * Fixed possible stack buffer overflow in the FastCGI SAPI
> identified by Andrei Nigmatulin.
> * Fixed integer overflow in printf() identified by Maksymilian
> Aciemowicz.
> * Fixed security issue detailed in CVE-2008-0599 identified by Ryan
> Permeh.
> * Fixed a safe_mode bypass in cURL identified by Maksymilian
> Arciemowicz.
> * Properly address incomplete multibyte chars inside
> escapeshellcmd() identified by Stefan Esser.
> * Upgraded bundled PCRE to version 7.6
>
> ..and there hasn't been any upload to *-security for this (AFAICS).
>
> Previously I was using PHP from CVS (branch PHP_5_2) and updated that
> from time to time, following the CVS commits.
>
> On a new server I'm using the official packages, but have backported the
> package from Debian unstable (and/or Intrepid) to include all the fixes.
>
> I think it would make a lot of sense to request a backport for PHP (for
> Dapper, Gutsy and Hardy; see
> https://help.ubuntu.com/community/UbuntuBackports).
>
> Still, it looks like a security update would be required, too.
Daniel,
It would be nice if you could file some bugs and provide some patches ...
Scott K
More information about the Ubuntu-devel-discuss
mailing list