Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Jun 2015 11:22:38 +0200
From: Tomas Hoger <>
Subject: PHP 5.6.10 / 5.5.26 / 5.4.42 CVE request


PHP 5.6.10 / 5.5.26 / 5.4.42 releases fix few issues tagged as security
in upstream bug tracker:

Fixed bug #69646 (OS command injection vulnerability in escapeshellarg).;a=commitdiff;h=d2ac264ffea5ca2e85640b6736e0c7cd4ee9a4a9
(Windows specific)

Imroved fix for bug #69545 (Integer overflow in ftp_genlist() resulting
in heap overflow).;a=commitdiff;h=0765623d6991b62ffcd93ddb6be8a5203a2fa7e2
(#69545 was originally fixed in 5.4.41 / 5.5.25 / 5.6.9 and got
CVE-2015-4022, but the fix was found to be incomplete, as explained in
the upstream bug)

Fixed bug #69719 (Incorrect handling of paths with NULs).;a=commitdiff;h=8fc52d77d6f66c438c98d536e2309b5fd13f90de
(This already got CVE-2015-4598 assigned in

Fixed bug #69667 (segfault in php_pgsql_meta_data).;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64
(Not security bug upstream, but we found this when testing updates with
fixes for CVE-2015-1352.  I believe the original issue that got
CVE-2015-1352 is not considered security by upstream either, so just
noting this for completeness.)

Tomas Hoger / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ