[FX.php List] PHP 5.2.8 on OS X 10.4?

Joel Shapiro jsfmp at earthlink.net
Tue Jan 6 14:20:07 MST 2009


Hi all

Does anyone have experience upgrading PHP on OS X 10.4 to 5.2.8?  (or  
even 5.2.7?)

A client's IT dept has said their current PHP version should be  
updated to 5.2.8 (which seems to have only been released in Dec  
2008).  The current installed version is the default installed by  
FMS9.  Marc Liyange's entropy.ch site only has installer for 5.2.4 :-(

(I don't know if all of the IT dept's reasons (below) are valid for  
PHP w/ FM, but it's a government agency so I doubt they'll be very  
flexible on their rules.)

TIA,
-Joel


Forwarded message:

>   Solution : Upgrade to PHP version 5.2.8 or later.
>
> Details:
>
> Vulnerability http (80/tcp) Synopsis :
>   The remote web server uses a version of PHP that is affected by
>   multiple flaws.
>   Description :
>   According to its banner, the version of PHP installed on the remote
>   host is older than 5.2.7. Such versions may be affected by several
>   security issues :
>   - File truncation can occur when calling 'dba_replace()'
>   with an invalid argument.
>   - There is a buffer overflow in the bundled PCRE library
>   fixed by 7.8. (CVE-2008-2371)
>   - A buffer overflow in the 'imageloadfont()' function in
>   'ext/gd/gd.c' can be triggered when a specially crafted
>   font is given. (CVE-2008-3658)
>   - There is a buffer overflow in PHP's internal function
>   'memnstr()', which is exposed to userspace as
>   'explode()'. (CVE-2008-3659)
>   - When used as a FastCGI module, PHP segfaults when
>   opening a file whose name contains two dots (eg,
>   'file..php'). (CVE-2008-3660)
>   - Multiple directory traversal vulnerabilities in
>   functions such as 'posix_access()', 'chdir()', 'ftok()'
>   may allow a remote attacker to bypass 'safe_mode'
>   restrictions. (CVE-2008-2665 and CVE-2008-2666).
>   - A buffer overflow may be triggered when processing long
>   message headers in 'php_imap.c' due to use of an
>   obsolete API call. (CVE-2008-2829)
>   - A heap-based buffer overflow may be triggered via
>   a call to 'mb_check_encoding()', part of the 'mbstring'
>   extension. (CVE-2008-5557)
>   - Missing initialization of 'BG(page_uid)' and
>   'BG(page_gid)' when PHP is used as an Apache module
>   may allow for bypassing security restriction due to
>   SAPI 'php_getuid()' overloading. (CVE-2008-5624)
>   - Incorrect 'php_value' order for Apache configuration
>   may allow bypassing PHP's 'safe_mode' setting.
>   (CVE-2008-5625)
>   - The ZipArchive:extractTo() method in the ZipArchive
>   extension fails to filter directory traversal
>   sequences from file names. (CVE-2008-5658)
>   See also :
>   http://securityreason.com/achievement_securityalert/57 <http:// 
> securityreason.com/achievement_securityalert/57>
>   http://securityreason.com/achievement_securityalert/58 <http:// 
> securityreason.com/achievement_securityalert/58>
>  http://securityreason.com/achievement_securityalert/59 <http:// 
> securityreason.com/achievement_securityalert/59>
>   http://www.sektioneins.de/advisories/SE-2008-06.txt <http:// 
> www.sektioneins.de/advisories/SE-2008-06.txt>
>   http://archives.neohapsis.com/archives/fulldisclosure/ 
> 2008-06/0238.html <http://archives.neohapsis.com/archives/ 
> fulldisclosure/2008-06/0238.html>
>   http://archives.neohapsis.com/archives/fulldisclosure/ 
> 2008-06/0239.html <http://archives.neohapsis.com/archives/ 
> fulldisclosure/2008-06/0239.html>
>   http://www.openwall.com/lists/oss-security/2008/08/08/2 <http:// 
> www.openwall.com/lists/oss-security/2008/08/08/2>
>   http://www.openwall.com/lists/oss-security/2008/08/13/8 <http:// 
> www.openwall.com/lists/oss-security/2008/08/13/8>
>   http://archives.neohapsis.com/archives/fulldisclosure/ 
> 2008-11/0433.html <http://archives.neohapsis.com/archives/ 
> fulldisclosure/2008-11/0433.html>
>   http://archives.neohapsis.com/archives/fulldisclosure/ 
> 2008-12/0089.html <http://archives.neohapsis.com/archives/ 
> fulldisclosure/2008-12/0089.html>
>   http://bugs.php.net/bug.php?id=42862 <http://bugs.php.net/bug.php? 
> id=42862>
>   http://bugs.php.net/bug.php?id=45151 <http://bugs.php.net/bug.php? 
> id=45151>
>   http://bugs.php.net/bug.php?id=45722 <http://bugs.php.net/bug.php? 
> id=45722>
>   http://www.php.net/releases/5_2_7.php <http://www.php.net/ 
> releases/5_2_7.php>
>   http://www.php.net/ChageLog-5.php#5.2.7 <http://www.php.net/ 
> ChageLog-5.php#5.2.7>
>   Solution :
>   Upgrade to PHP version 5.2.8 or later.


More information about the FX.php_List mailing list