PHP releases 5.2.5 to fix multiple vulnerabilities
For the ones of you who have not opted to receive the PHP announcements from the php.net site, here’s an important one you shouldn’t miss if you are using the 5.2.x branch.
From the PHP team:
over 60 bug fixes, several of which are security related
Some of the vulnerabilities are:
- Various errors exist in the “htmlentities” and “htmlspecialchars” functions where partial multibyte sequences are not accepted.
- Various boundary errors exist in the “fnmatch()”, “setlocale()”, and “glob()” functions and can be exploited to cause buffer overflows.
- An error in the processing of “.htaccess” files can be exploited to bypass the “disable_functions” directive by modifying the “mail.force_extra_parameters” php.ini directive via an “.htaccess” file.
- An error in the handling of variables can be exploited to overwrite values set in httpd.conf via the “ini_set()” function.
More details can be found in the official announcement here.
Trackbacks
Use this link to trackback from your own site.
