1.158. php

Updated php packages that fix several security issues are now available for Red Hat Enterprise Linux 3, 4, and 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

Multiple missing input sanitization flaws were discovered in PHP's exif extension. A specially-crafted image file could cause the PHP interpreter to crash or, possibly, disclose portions of its memory when a PHP script tried to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2009-2687, CVE-2009-3292)

A missing input sanitization flaw, leading to a buffer overflow, was discovered in PHP's gd library. A specially-crafted GD image file could cause the PHP interpreter to crash or, possibly, execute arbitrary code when opened. (CVE-2009-3546)

It was discovered that PHP did not limit the maximum number of files that can be uploaded in one request. A remote attacker could use this flaw to instigate a denial of service by causing the PHP interpreter to use lots of system resources dealing with requests containing large amounts of files to be uploaded. This vulnerability depends on file uploads being enabled (which it is, in the default PHP configuration). (CVE-2009-4017)

Note: This update introduces a new configuration option, max_file_uploads, used for limiting the number of files that can be uploaded in one request. By default, the limit is 20 files per request.

It was discovered that PHP was affected by the previously published "null prefix attack", caused by incorrect handling of NUL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse PHP into accepting it by mistake. (CVE-2009-3291)

It was discovered that PHP's htmlspecialchars() function did not properly recognize partial multi-byte sequences for some multi-byte encodings, sending them to output without them being escaped. An attacker could use this flaw to perform a cross-site scripting attack. (CVE-2009-4142)

All php users should upgrade to these updated packages, which contain backported patches to resolve these issues. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

Updated php packages that fix various bugs and add enhancements are now available.

PHP is an HTML-embedded scripting language that allows developers to write dynamically generated web pages. PHP is ideal for writing database-enabled websites, with built-in integration for several commercial and non- commercial database management systems. PHP is often used as a replacement for CGI scripts.

The php package contains a module that adds support for the PHP language to the Apache HTTP Server.

* two minor fixes were performed in the php substr_compare and substr_count functions to correct integer overflows. (BZ#469807 & BZ#470971)

* if a PHP script uses odbc_connect and the -lodbcpsql is being used for PostgreSQL, it will either hang forever or cause a segmentation fault. The default behavior was changed, and the hangs and errors no longer occur. (BZ#483690)

* the default PHP build was not thread-safe, and became unusable with the worker MPM in httpd. It was upgraded to be thread-safe and can now be used as expected. (BZ#484058)

* when an unsupported character set was used, the PHP mbstring module would experience a segmentation fault. A patch was added to resolve a double-free problem, and the segfault no longer occurs. (BZ#486651)

* when rebuilding PHP on IBM PowerPC architecture, the build would fail. A change was made to the PHP specfile, and a rebuild now works as expected. (BZ#491050)

* the PHP move_uploaded_file function was generating inconsistent destination file permissions. The destination file's permissions are now always determined by the active umask and permissions are now consistent. (BZ#498031)

* some PHP code was creating invalid pointer errors and stack traces. The package was updated so that an entry is added to the log file, and no error occurs. (BZ#515372)

* the default memory_limit value was too low for some 64-bit architectures. The user needed to manually edit the php.ini file to be able to start Apache. The default value has been increased to 128M and Apache now starts as expected on 64-bit hardware. (BZ#517604)

* when attempting to build Zarafa a syntax error caused the build to fail. Extraneous keystrokes were removed and Zarafa now builds as expected. (BZ#530824)

* the PHP package has been updated to include new code from upstream. (BZ#500383, BZ#505355, & BZ#511175)

Users are advised to upgrade to these updated php packages, which resolve these issues and add these enhancements.