Information Security all in one place!

php5 Security Update: Recent PHP security update is flawed

Debian Security Advisory DSA-2403-1

php5 remote code execution, after problems were patched.

The PHP logo displaying the Handel Gothic font.

Image via Wikipedia

Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code.

  • For the oldstable distribution (lenny), no fix is available at this time.
  • For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze7.
  • The testing distribution (wheezy) and unstable distribution (sid) will be fixed soon.

Recommended that you upgrade your php5 packages.

Further information about Debian Security Advisories,
found at: http://www.debian.org/security/

Related articles

This entry was posted on February 3, 2012 by . It was filed under Malware, Patching, remote attackers, Remote Code Execution, Security, Security Advisory, Vulnerabilities, Zero-Day and was tagged with , , , , , , , , , , , , , , , .

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 176 other followers