Information Security all in one place!

php5 Security Update: Recent PHP security update is flawed

Debian Security Advisory DSA-2403-1

php5 remote code execution, after problems were patched.

The PHP logo displaying the Handel Gothic font.

Image via Wikipedia

Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code.

  • For the oldstable distribution (lenny), no fix is available at this time.
  • For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze7.
  • The testing distribution (wheezy) and unstable distribution (sid) will be fixed soon.

Recommended that you upgrade your php5 packages.

Further information about Debian Security Advisories,
found at:

Let's hear what you have to say.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s