Hi all, I see Gentoo has just release a new version of PHP to take care of a parse error in php_variables.c leading to an memory read when passing a specially crafted parameter. Also commented in the advisory was a method of overwriting the $_FILES array using a specially crafted header. Reading between the lines of the various advisories it seems that 4.1.2 isn't affected by the parse error issue, but all versions later are (according to the Gentoo advisory). Details: http://www.securityfocus.com/archive/1/375294 http://www.securityfocus.com/archive/1/375370 http://secunia.com/advisories/12560 As I didn't QA the recent PHP release, I'm not sure whether either of these were covered in the new FL release. I can't find any mention of these on Bugzilla either (for FL or Fedora Stable). Doing a quick grep through the 4.2.2 patch doesn't seem to show any fixes for the php_variables.c parse error. Any comments? - Si -- Simon Weller LPIC-2 Systems Engineer NZServers LTD http://www.nzservers.com/ U.S. Branch <- To mess up a Linux box, you need to work at it; to mess up your Windows box, you just need to work on it. - Scott Granneman, Security Focus -> -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
