-
Committer:
Bazaar Package Importer
-
Author(s):
Jamie Strandboge, Tormod Volden, Jamie Strandboge
-
Date:
2008-07-18 11:50:38 UTC
-
mfrom:
(29.1.2 hardy-proposed)
-
Revision ID:
james.westby@ubuntu.com-20080718115038-6292xfjn3cb9f43r
Tags: 5.2.4-2ubuntu5.3
[ Tormod Volden ]
* Backport security fixes from 5.2.6: (LP: #227464)
- debian/patches/SECURITY_CVE-2008-2050.patch
+ Fixed possible stack buffer overflow in FastCGI SAPI
+ Fixed sending of uninitialized paddings which may contain some
information
- debian/patches/SECURITY_CVE-2008-0599.patch
+ Fixed security issue detailed in CVE-2008-0599
- debian/patches/SECURITY_CVE-2007-4850.patch
+ Fixed a safe_mode bypass in cURL identified by Maksymilian
Arciemowicz
- debian/patches/security526-pcre_compile.patch:
+ avoid stack overflow (fix from pcre 7.6)
[ Jamie Strandboge ]
* debian/patches/SECURITY_CVE-2008-2051.patch: properly address incomplete
multibyte chars inside escapeshellcmd() (thanks Tormod Volden)
* Add debian/patches/SECURITY_CVE-2007-5898.patch: don't accept partial utf8
sequences. Backported upstream fixes.
* Add debian/patches/SECURITY_CVE-2007-5899.patch: don't send session id to
remote forms. Backported upstream fixes.
* Add debian/patches/SECURITY_CVE-2008-2829.patch: unsafe usage of
deprecated imap functions (patch from Debian)
* Add debian/patches/SECURITY_CVE-2008-1384.patch: integer overflow in
printf() (patch from Debian)
* Add debian/patches/SECURITY_CVE-2008-2107+2108.patch: weak random number
seed. Backported upstream patches.
* Add debian/patches/SECURITY_CVE-2007-4782.patch: DoS via long string in
the fnmatch functions
* Add debian/patches/SECURITY_CVE-2008-2371.patch: buffer overflow.
Backported upstream patches.
* References
CVE-2008-2050
CVE-2008-2051
CVE-2008-0599
CVE-2007-4850
CVE-2007-5898
CVE-2007-5899
CVE-2008-2829
CVE-2008-1384
CVE-2008-2107
CVE-2008-2108
CVE-2007-4782
CVE-2008-2371