Viewing all changes in revision 20.
- Committer: Bazaar Package Importer
- Date: 2007-10-19 12:58:34 UTC
- Revision ID: james.westby@ubuntu.com-20071019125834-4bq5rv7vbp868xmh
* SECURITY UPDATE: multiple vulnerabilities. Thanks to Sean Finney for
help locating upstream fixes.
* Add 200-string-wordwrap.patch: wordwrap function can be made to crash.
Backported upstream fixes (CVE-2007-3998).
* Add 201-strspn-oob-read.patch: memory reading, possible crash via strspn.
chunk_split. Backported upstream fixes (CVE-2007-4657).
* Add 202-money-format-abuse.patch: money_format format string vulnerable.
Backported upstream fixes (CVE-2007-4658).
* Add 203-openssl_make_REQ-overflow.patch: overflow in openssl_make_REQ.
Applied and corrected upstream fixes (CVE-2007-4662).
* Add 204-start-session-cookies.patch: overwrite cookie values.
Applied upstream fixes (CVE-2007-3799).
* Add 206-chunk_split-fixes.patch: memory reading, possible crash via
chunk_split. Merged various upstream fixes (CVE-2007-2872, CVE-2007-4660,
CVE-2007-4661).
* Add 206-cookie-nesting-fix.patch: corruption/crashes via deeply nested
variables. Backported upstream fixes (CVE-2007-1285, CVE-2007-4670).
* Add 207-htmlentity-utf8-fix.patch: don't accept partial utf8 sequences.
Backported upstream fixes (CVE-2007-5898).
* Add 208-session-id-leak.patch: don't send session id to remote forms.
Backported upstream fixes (CVE-2007-5899).
* References
http://www.php.net/releases/5_2_4.php
http://www.php.net/releases/5_2_5.php
help locating upstream fixes.
* Add 200-string-wordwrap.patch: wordwrap function can be made to crash.
Backported upstream fixes (CVE-2007-3998).
* Add 201-strspn-oob-read.patch: memory reading, possible crash via strspn.
chunk_split. Backported upstream fixes (CVE-2007-4657).
* Add 202-money-format-abuse.patch: money_format format string vulnerable.
Backported upstream fixes (CVE-2007-4658).
* Add 203-openssl_make_REQ-overflow.patch: overflow in openssl_make_REQ.
Applied and corrected upstream fixes (CVE-2007-4662).
* Add 204-start-session-cookies.patch: overwrite cookie values.
Applied upstream fixes (CVE-2007-3799).
* Add 206-chunk_split-fixes.patch: memory reading, possible crash via
chunk_split. Merged various upstream fixes (CVE-2007-2872, CVE-2007-4660,
CVE-2007-4661).
* Add 206-cookie-nesting-fix.patch: corruption/crashes via deeply nested
variables. Backported upstream fixes (CVE-2007-1285, CVE-2007-4670).
* Add 207-htmlentity-utf8-fix.patch: don't accept partial utf8 sequences.
Backported upstream fixes (CVE-2007-5898).
* Add 208-session-id-leak.patch: don't send session id to remote forms.
Backported upstream fixes (CVE-2007-5899).
* References
http://www.php.net/releases/5_2_4.php
http://www.php.net/releases/5_2_5.php
- files added:
- debian/patches/200-string-wordwrap.patch
- files modified:
- debian/changelog
expand all
collapse all
added
removed
