Mandriva Linux Security Advisory : php (MDVSA-2010:254)
Medium Nessus Plugin ID 51196
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionThis is a maintenance and security update that upgrades php to 5.3.4 for 2010.0/2010.1.
Security Enhancements and Fixes in PHP 5.3.4 :
- Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243).
- Fixed bug #53512 (NumberFormatter::setSymbol crash on bogus values) (CVE-2010-4409)
Please note that CVE-2010-4150, CVE-2010-3870, CVE-2010-3436, CVE-2010-3709, CVE-2010-3710 were fixed in previous advisories.
Key Bug Fixes in PHP 5.3.4 include :
- Added stat support for zip stream.
- Added follow_location (enabled by default) option for the http stream support.
- Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al.
- Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime.
- Multiple improvements to the FPM SAPI.
- Over 100 other bug fixes.
Additional post 5.3.4 fixes :
- Fixed bug #53517 (segfault in pgsql_stmt_execute() when postgres is down).
- Fixed bug #53541 (format string bug in ext/phar).
Additionally some of the PECL extensions has been upgraded and/or rebuilt for the new php version.
SolutionUpdate the affected packages.