PHP 5.2.2 And PHP 4.4.7 Released
May 4, 2007
Quote:
Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7:
* Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
* Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
* Fixed a bug in mb_parse_str() that can be used to activate register_globals (MOPB-26 by Stefan Esser)
* Fixed unallocated memory access/double free in in array_user_key_compare() (MOPB-24 by Stefan Esser)
* Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
* Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers. (MOPB-21 by Stefan Esser).
* Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03 by Stefan Esser)
* Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
* Fixed a possible super-global overwrite inside import_request_variables(). (by Stefano Di Paola, Stefan Esser)
* Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library. (by Stanislav Malyshev)
Security Enhancements and Fixes in PHP 5.2.2 only:
* Fixed a header injection via Subject and To parameters to the mail() function (MOPB-34 by Stefan Esser)
* Fixed wrong length calculation in unserialize S type (MOPB-29 by Stefan Esser)
* Fixed substr_compare and substr_count information leak (MOPB-14 by Stefan Esser) (Stas, Ilia)
* Fixed a remotely trigger-able buffer overflow inside make_http_soap_request(). (by Ilia Alshanetsky)
* Fixed a buffer overflow inside user_filter_factory_create(). (by Ilia Alshanetsky)
Security Enhancements and Fixes in PHP 4.4.7 only:
* XSS in phpinfo() (MOPB-8 by Stefan Esser)
As always get the source code from php.net and compile away.Or wait for your distro to put out an updated package.
View 0 Replies
Mar 2, 2007
[url]
Quote:
The PHP development team would like to announce the immediate availability of PHP 4.4.6. This release addresses a crash problem with the session extension when register_globals is turned on that was introduced in PHP 4.4.5. This release comes also with the new version 7.0 of PCRE and it addresses a number of minor bugs.
Download PHP 4.4.6: [url]
Detailed Changelog: [url]
So anyone's been upgraded?
View 14 Replies
View Related
Jun 2, 2007
The PHP development team would like to announce the immediate availability of PHP 5.2.3.
This release continues to improve the security and the stability of the 5.X branch as well as addressing two regressions introduced by the previous 5.2 releases. These regressions relate to the timeout handling over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in certain conditions. All users are encouraged to upgrade to this release.
Further details about the PHP 5.2.3 release can be found in the release announcement for 5.2.3, the full list of changes is available in the ChangeLog for PHP 5.
Security Enhancements and Fixes in PHP 5.2.3:
* Fixed an integer overflow inside chunk_split() (by Gerhard Wagner, CVE-2007-2872)
* Fixed possible infinite loop in imagecreatefrompng. (by Xavier Roche, CVE-2007-2756)
* Fixed ext/filter Email Validation Vulnerability (MOPB-45 by Stefan Esser, CVE-2007-1900)
* Fixed bug #41492 (open_basedir/safe_mode bypass inside realpath()) (by bugs dot php dot net at chsc dot dk)
* Improved fix for CVE-2007-1887 to work with non-bundled sqlite2 lib.
* Added mysql_set_charset() to allow runtime altering of connection encoding.
The key improvements of PHP 5.2.3 include:
* Improved compilation of heredocs and interpolated strings.
* Optimized out a couple of per-request syscalls.
* Optimized digest generation in md5() and sha1() functions.
* Fixed bug #41236 (Regression in timeout handling of non-blocking SSL connections during reads and writes)
* Fixed bug #39542 (Behavior of require/include different to < 5.2.0)
* Fixed bug #41293 (Fixed creation of HTTP_RAW_POST_DATA when there is no default post handler)
* Fixed bug #41347 (checkdnsrr() segfaults on empty hostname)
* Fixed bug #41353 (crash in openssl_pkcs12_read() on invalid input)
* Fixed bug #41403 (json_decode cannot decode floats if localeconv decimal_point is not '.')
* Fixed bug #41421 (Uncaught exception from a stream wrapper segfaults)
* Fixed bug #41504 (json_decode() incorrectly decodes JSON arrays with empty string keys).
* Over 40 bug fixes.
Full change log at [url]
View 0 Replies
View Related
Nov 4, 2009
For those keeping up with the lastest virtualization news, Red Hat's hypervisor is now "Generally Available" as of today. Based on KVM, it may be a good alternative to VMWare if you need commercial support in your virtualization implementation.
Redhat Link
The code is GPL so I'm guessing we might see this soon in a Centos flavor?
View 5 Replies
View Related
Jan 18, 2007
If you're running rvskin on your cPanel boxes then please update right away, I found some security issues in 7.1x tree and have been working with Rvskin which is the reason for this new release. They were nice and quick to get patched allied, poor guys haven't even had a chance to update their changelog yet
View 2 Replies
View Related
Jul 12, 2007
I;m running lighttpd-1.4.15 and I have installed many mods which already comes packed with default install
but I want to install this particular mod and I cant seem to find any way to use this .patch file.
how this is done, only if you done it in the best and worked.
More details on this mod.
[url]
View 0 Replies
View Related
Oct 22, 2009
As the title says, how many of you will switch to windows hosting?
Hostdime seems to be the first offering the cPanel for windows.
View 14 Replies
View Related
Jul 18, 2009
cPanel has recently released beta version of "Enkompass". It offers a web hosting control panel system for Microsoft Windows server-based hosts. For more details take a look at [url]
View 4 Replies
View Related