Ubuntu issues big PHP update
The Ubuntu development team yesterday released a series of security fixes for PHP running on Ubuntu 6.06 LTS, 7.04, 7.10 and Ubuntu 8.04 LTS.
The updates fix a number of security risks in PHP, including a problem with PHP not properly checking the length of the string parameter to the fnmatch function. An attacker could cause a denial of service in the PHP interpreter if a script passed untrusted input to the fnmatch function.
The fix also fixes a flaw in the cURL library that allowed safe_mode and open_basedir restrictions to be bypassed. If a
PHP application were tricked into processing a bad file:// request, an attacker could read arbitrary files.
Problems with the htmlentities and htmlspecialchars functions that did not correctly stop when handling partial multibyte
sequences was also fixed. This error could be used by an attacker to read certain areas of memory, possibly gaining access to sensitive information.
These, and other security risks, can be fixed by updating systems to the following package versions:
Ubuntu 6.06 LTS:
Ubuntu 8.04 LTS:
Full details of the flaws fixed by this release can be found here.