php5 Security Update: Recent PHP security update is flawed
Debian Security Advisory DSA-2403-1
php5 remote code execution, after problems were patched.
Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code.
- For the oldstable distribution (lenny), no fix is available at this time.
- For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze7.
- The testing distribution (wheezy) and unstable distribution (sid) will be fixed soon.
Recommended that you upgrade your php5 packages.
Further information about Debian Security Advisories,
found at: http://www.debian.org/security/
- PHP 5.3.10 release delivers a critical security fix (php.net)
- Manuel Lemos: Another Serious Security Bug on PHP 5.3.9 (phpclasses.org)