102 replies to this topic

[AplusWebMaster]

FYI...

PHP v5.2.7 released
- http://www.php.net/a...#id2008-12-04-3
04-Dec-2008 - "The PHP development team would like to announce the immediate availability of PHP 5.2.7. This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release..."

- http://www.php.net/downloads.php

- http://www.php.net/releases/5_2_7.php

ChangeLog:
- http://www.php.net/C...Log-5.php#5.2.7

Edited by AplusWebMaster, 06 December 2008 - 10:12 AM.

[AplusWebMaster]

FYI...

PHP 5.2.8 released
- http://www.php.net/releases/5_2_8.php
08-Dec-2008 - "The PHP development team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7... that was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini."

Downloads:
- http://www.php.net/downloads.php

ChangeLog:
- http://www.php.net/C...Log-5.php#5.2.8

- http://web.nvd.nist....d=CVE-2009-0422
Last revised:02/05/2009

Edited by AplusWebMaster, 09 February 2009 - 11:48 AM.

[AplusWebMaster]

FYI...

PHP multiple vulns - update available
- http://secunia.com/advisories/34081/
Release Date: 2009-02-27
Critical: Moderately critical
Impact: Unknown, Exposure of sensitive information, DoS
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x...
Solution: Update to version 5.2.9
http://www.php.net/downloads.php ...
Original Advisory:
http://www.php.net/releases/5_2_9.php ...

[AplusWebMaster]

FYI...

PHP v5.2.9-2 released
- http://secunia.com/advisories/34666/2/
Release Date: 2009-04-14
Critical: Moderately critical
Impact: Security Bypass, DoS
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
Solution: Update to version 5.2.9-2.
Original Advisory: PHP: http://www.php.net/a...#id2009-04-08-1
CVE reference:
http://web.nvd.nist....d=CVE-2009-0590
http://web.nvd.nist....d=CVE-2009-0591
http://web.nvd.nist....d=CVE-2009-0789

- http://openssl.org/n...dv_20090325.txt

[AplusWebMaster]

FYI...

PHP multiple vulns - update available
- http://secunia.com/advisories/36791/2/
Release Date: 2009-09-18
Critical: Moderately critical
Impact: Unknown
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x ...
Solution: Update to version 5.2.11...
Original Advisory: http://www.php.net/releases/5_2_11.php
"75 bug fixes"
- http://www.php.net/C...og-5.php#5.2.11

[AplusWebMaster]

FYI...

PHP v5.3.1 released
- http://secunia.com/advisories/37412/2/
Release Date: 2009-11-20
Critical: Moderately critical
Impact: Unknown, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.3.x ...
Solution: Update to version 5.3.1.
Original Advisory: PHP:
http://www.php.net/releases/5_3_1.php

ChangeLog
- http://www.php.net/C...Log-5.php#5.3.1

- http://isc.sans.org/...ml?storyid=7615
"... With many of the websites on the net relying on PHP and the number of attacks we see, consider upgrading. This release has over 100 bug fixes..."

- http://secunia.com/advisories/37412/3/
Last Update: 2009-11-24 ...
CVE reference:
http://web.nvd.nist....d=CVE-2009-3292
http://web.nvd.nist....d=CVE-2009-3557
http://web.nvd.nist....d=CVE-2009-3558
http://web.nvd.nist....d=CVE-2009-4017

Edited by AplusWebMaster, 17 December 2009 - 10:18 AM.

[AplusWebMaster]

FYI...

PHP v5.2.12 released
- http://secunia.com/advisories/37821/2/
Release Date: 2009-12-17
Critical: Moderately critical
Impact: Unknown, Security Bypass, Cross Site Scripting
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
Solution: Update to version 5.2.12.
Original Advisory: PHP:
http://www.php.net/releases/5_2_12.php
http://bugs.php.net/bug.php?id=49785 ...

- http://secunia.com/advisories/37821/3/
CVE reference:
CVE-2009-3557, CVE-2009-3558, CVE-2009-4017, CVE-2009-4142, CVE-2009-4143

ChangeLog
- http://www.php.net/C...og-5.php#5.2.12
17-December-2009

> http://forums.whatth...st_p618015.html

Edited by AplusWebMaster, 17 December 2009 - 10:37 AM.

[AplusWebMaster]

FYI...

PHP v5.2.13 released
- http://secunia.com/advisories/38708/
Last Update: 2010-03-08
Impact: Security Bypass
Where: From remote
Software: PHP 5.2.x
Original Advisory: PHP:
http://www.php.net/releases/5_2_13.php ...
"... over 40 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release..."
Last updated: Fri Feb 26 15:12:05 2010 UTC

ChangeLog:
- http://www.php.net/C...og-5.php#5.2.13

- http://www.php.net/downloads.php

- http://secunia.com/advisories/38708/
Solution: Update to version 5.2.13 or 5.3.2.

- http://securitytrack...eb/1023661.html
Feb 27 2010

Edited by AplusWebMaster, 09 March 2010 - 03:37 AM.

[AplusWebMaster]

FYI...

PHP v5.3.2 released
- http://www.php.net/releases/5_3_2.php
04-March-2010 - "... large number of bug fixes..."

- http://www.php.net/C...Log-5.php#5.3.2

- http://www.php.net/downloads.php

- http://secunia.com/advisories/38708/
Last Update: 2010-03-08

Edited by AplusWebMaster, 09 March 2010 - 03:40 AM.

[AplusWebMaster]

FYI...

PHP v5.3.3 released
- http://www.php.net/a...#id2010-07-22-2
22-Jul-2010 - "... over 100 bug fixes, some of which are security related."

- http://secunia.com/advisories/40268/
Last Update: 2010-07-23
Criticality level: Moderately critical
Impact: Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch...

15 years of PHP
- http://www.h-online....HP-1017628.html

[AplusWebMaster]

FYI...

RE: PHP v5.3.3...
- http://www.securityf.../bid/41991/info
Updated: Aug 09 2010 - "... Not Vulnerable: PHP 5.3.3, PHP 5.2.14..."

- http://www.securityf...d/41991/exploit
"Some of these issues may be exploited through a browser. Other issues may require an attacker to have local interactive access. Currently we are not aware of any working exploits..."

ChangeLog
- http://www.php.net/C...Log-5.php#5.3.3

- http://www.php.net/a...#id2010-07-22-2

[AplusWebMaster]

FYI...

PHP mb_strcut() may disclose potentially sensitive info...
- http://securitytrack...ov/1024737.html
Date: Nov 13 2010
... impact depends on the applications that use the vulnerable function...
Solution: The vendor has issued a source code fix, available via SVN...

- http://us3.php.net/m...n.mb-substr.php
Last updated: Fri, 12 Nov 2010

- http://web.nvd.nist....d=CVE-2010-4156
Last revised: 11/10/2010
CVSS v2 Base Score: 5.0 (MEDIUM)
___

- http://securitytrack...ov/1024761.html
Date: Nov 22 2010
Version(s): 5.2.14, 5.3.3; possibly others...
Solution: The vendor has issued a source code fix, available at: http://svn.php.net/v...revision=305032 ...

Edited by AplusWebMaster, 22 November 2010 - 06:24 PM.

[AplusWebMaster]

FYI...

PHP v5.3.4 released
- http://www.php.net/a...#id2010-12-10-1
10-Dec-2010 - "... This is a maintenance release in the 5.3 series, which includes a large number of bug fixes...
Key Bug Fixes in PHP 5.3.4 include:
• Added stat support for zip stream.
• Added follow_location (enabled by default) option for the http stream support.
• Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al.
• Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime.
• Multiple improvements to the FPM SAPI.
• Over 100 other bug fixes..."

ChangeLog:
- http://www.php.net/C...Log-5.php#5.3.4

- http://secunia.com/advisories/41724/
Last Update: 2010-12-10
Impact: Unknown, Security Bypass, DoS
Where: From remote...
Solution: Update to version 5.2.15 and 5.3.4.
Original Advisory: PHP:
http://www.php.net/a...#id2010-12-10-1
http://www.php.net/a...#id2010-12-09-1
___

- http://www.php.net/a...#id2010-12-16-1
16-Dec-2010 - "... PHP 5.2's support ended, a migration guide available on http://php.net/migration53 , details the changes between PHP 5.2 and PHP 5.3."

Edited by AplusWebMaster, 18 December 2010 - 04:28 PM.

[AplusWebMaster]

FYI...

php.net security notice
- http://www.php.net/a...#id2011-03-19-2
19-Mar-2011 - "The wiki.php.net box was compromised and the attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts. We are still investigating the details of the attack which combined a vulnerability in the Wiki software with a Linux root exploit."

- http://www.h-online....ed-1211874.html
21 March 2011
___

PHP 5.3.6 Released
17-Mar-2011 - "The PHP development team would like to announce the immediate availability of PHP 5.3.6. This release focuses on improving the stability of the PHP 5.3.x branch with over 60 bug fixes, some of which are security related..."

- http://web.nvd.nist....d=CVE-2011-1153
Last revised: 03/22/2011
CVSS v2 Base Score: 7.5 (HIGH) / "... in PHP 5.3.5 and earlier..."
- http://web.nvd.nist....d=CVE-2011-1092
Last revised: 03/22/2011
CVSS v2 Base Score: 7.5 (HIGH) / "... before 5.3.6..."

- http://web.nvd.nist....d=CVE-2011-1148
Last revised: 03/21/2011
CVSS v2 Base Score: 7.5 (HIGH) / "... in PHP 5.3.6 and earlier..."
> http://xforce.iss.ne...orce/xfdb/66080
"High Risk... No remedy available as of March 26, 2011..."

Edited by AplusWebMaster, 28 March 2011 - 02:05 PM.

[AplusWebMaster]

FYI...

PHP v5.3.7 released
- http://www.php.net/a...#id2011-08-18-1
18-Aug-2011 - "... This release focuses on improving the stability of the PHP 5.3.x branch with over 90 bug fixes, some of which are security related..."

Change Log
- http://www.php.net/C...Log-5.php#5.3.7

- http://h-online.com/-1326138
19 August 2011 - "... bug fixes resolve a number of crashing flaws when using tack_errors, calling unknown function names, passing NULL to the DatePeriod constructor and many more... a high severity use after free error in substr_replace (CVE-2011-1148) and a high severity stack overflow in socket_connect (CVE-2011-1938) have also been fixed. One medium security issue fixed is a file path injection vulnerability in the file upload mechanism (CVE-2011-2022)..."

- http://web.nvd.nist....d=CVE-2011-1148
- http://web.nvd.nist....d=CVE-2011-1938
- http://web.nvd.nist....d=CVE-2011-2022

- https://secunia.com/advisories/44874/
Last Update: 2011-08-19
Impact: Security Bypass, DoS, System access
Where: From remote
Solution: Update to version 5.3.7.

Edited by AplusWebMaster, 20 August 2011 - 01:46 PM.