is openbsd 3.9 php vulnerable? (Re[2]: [UPDATE] php5 to version 5.1.2 (IMPORTANT))

[paul dansing <dansing_(_at_)_swissinfo_(_dot_)_org>]

Hello,

Can someone please give a straight answer about these PHP security
holes?  OpenBSD 3.9 released yesterday had packages supporting:
php 4.4.1p0
php 5.0.5p0
are either of these vulnerable? if so, is someone going to release
updated packages (not just ports)?

the php 5.1.3 release:

The security issues resolved include the following:

 * Disallow certain characters in session names.
 * Fixed a buffer overflow inside the wordwrap() function.
 * Prevent jumps to parent directory via the 2nd parameter of the tempnam() function.
 * Enforce safe_mode for the source parameter of the copy() function.
 * Fixed cross-site scripting inside the phpinfo() function.
 * Fixed offset/length parameter validation inside the substr_compare() function.
 * Fixed a heap corruption inside the session extension.
 * Fixed a bug that would allow variable to survive unset().

thanks

Monday, May 1, 2006, 7:18:50 AM, you wrote:

> Hi.

> I haven't recieved a single test report, but I still get
> letters about asking for an update. How's that?
> This tarball also includes mysqli, fastcgi and hardened php support:
> http://gi.unideb.hu/~robert/php.tar.gz

> On (28/04/06 01:59), Robert Nagy wrote:
>> Hi.
>> 
>> Finally after fighting with pear I've managed to create a working update
>> for the php5 port.
>> The PHP guys have changed the installation method of pear to use some crappy
>> PHP_Archive. With this move they broke the installation of pear on serveral
>> linux distros (e.g. Frugalware), OpenDarwin and on OpenBSD of course.
>> Any other crappy package managements where they install files directly to ${LOCALBASE}


-- 
Best regards,
 paul                            mailto:dansing_(_at_)_swissinfo_(_dot_)_org