PHP: Multiple vulnerabilities

thorpe

See here.

laserlight

Most of the vulnerabilities mentioned were fixed in PHP 5.1.3, but then PHP 5.1.4 is out so one should upgrade to that.

MarkR

These are actually quite minor:

These included a buffer overflow in the wordwrap() function,

Which I've never used.

restriction bypasses in the copy() and tempname() functions,

Which don't matter unless you're using filesystem restrictions (safe_mode or base_opendir), and even then, aren't really critical as there are other ways to bypass these.

a cross-site scripting issue in the phpinfo() function,

Which doesn't matter in the least, as you shouldn't have a public phpinfo() page on a production server.

a potential crash in the substr_compare() function

May be annoying, although I haven't used this myself.

and a memory leak in the non-binary-safe html_entity_decode() function.

This only has annoyance factor - although I haven't used this one either

All in all, I'd say it's not too bad, and I'm not rushing to upgrade just yet (although I will before too long)

Mark

thorpe

Im in the process of upgrading my whole Gentoo world, php and all. Not because of this et all, but I haven't done it in about 3 weeks.

Im also toying with the idea of setting up another server and maybe having a look at php6 just for fun. Anyone attempted this?