This bug was fixed in the package php5 - 5.3.2-1ubuntu4.13 --------------- php5 (5.3.2-1ubuntu4.13) lucid-security; urgency=low
* SECURITY UPDATE: memory allocation failure denial of service - debian/patches/php5-CVE-2011-4153.patch: check result of zend_strdup() and calloc() for failed allocations - CVE-2011-4153 * SECURITY UPDATE: predictable hash collision denial of service (LP: #910296) - debian/patches/php5-CVE-2011-4885.patch: add max_input_vars directive with default limit of 1000 - ATTENTION: this update changes previous php5 behavior by limiting the number of external input variables to 1000. This may be increased by adding a "max_input_vars" directive to the php.ini configuration file. See http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars for more information. - CVE-2011-4885 * SECURITY UPDATE: remote code execution vulnerability introduced by the fix for CVE-2011-4885 (LP: #925772) - debian/patches/php5-CVE-2012-0830.patch: return rather than continuing if max_input_vars limit is reached - CVE-2012-0830 * SECURITY UPDATE: XSLT arbitrary file overwrite attack - debian/patches/php5-CVE-2012-0057.patch: add xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets - CVE-2012-0057 * SECURITY UPDATE: PDORow session denial of service - debian/patches/php5-CVE-2012-0788.patch: fail gracefully when attempting to serialize PDORow instances - CVE-2012-0788 * SECURITY UPDATE: magic_quotes_gpc remote disable vulnerability - debian/patches/php5-CVE-2012-0831.patch: always restore magic_quote_gpc on request shutdown - CVE-2012-0831 * SECURITY UPDATE: arbitrary files removal via cronjob - debian/php5-common.php5.cron.d: take greater care when removing session files (overlooked in a previous update). - http://git.debian.org/?p=pkg-php%2Fphp.git;a=commitdiff_plain;h=d09fd04ed7bfcf7f008360c6a42025108925df09 - CVE-2011-0441 -- Steve Beattie <sbeat...@ubuntu.com> Wed, 08 Feb 2012 20:55:57 -0800 ** Changed in: php5 (Ubuntu Lucid) Status: Confirmed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-0441 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in Ubuntu. https://bugs.launchpad.net/bugs/910296 Title: Please backport the upstream patch to prevent attacks based on hash collisions To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/910296/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs