oss-security - Re: CVE request: php 5.3.1 update

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 20 Nov 2009 10:47:35 +0000
From: Joe Orton <jorton@...hat.com>
To: Thomas Biege <thomas@...e.de>
Cc: OSS-Security Mailinglist <oss-security@...ts.openwall.com>
Subject: Re: CVE request: php 5.3.1 update

On Fri, Nov 20, 2009 at 11:41:50AM +0100, Thomas Biege wrote:
> Hello,
> 
> PHP was updated to version 5.3.1 and did also address security
> issues: http://www.php.net/releases/5_3_1.php

We assigned some CVE names for the new issues here; two correspond to 
existing issues fixed earlier in 5.2.11.  The CVE names have not made it 
to the web site but were used in the e-mail announcement text:

- Added missing sanity checks around exif processing. (CVE-2009-3292, Ilia)
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak.
  (CVE-2009-3557, Rasmus)
- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz
  Stachowiak. (CVE-2009-3558, Rasmus)
- Fixed bug #50063 (safe_mode_include_dir fails). (CVE-2009-3559,
  Johannes, christian at elmerot dot se)
- Fixed bug #44683 (popen crashes when an invalid mode is passed).
  (CVE-2009-3294, Pierre)

Regards, Joe

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.