DSA-2089

Several remote vulnerabilities have been discovered in PHP 5, an hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2010-1917

The fnmatch function can be abused to conduct denial of service attacks (by crashing the interpreter) by the means of a stack overflow.

CVE-2010-2225

The SplObjectStorage unserializer allows attackers to execute arbitrary code via serialized data by the means of a use-after-free vulnerability.

MOPS-60

The default sessions serializer does not correctly handle a special marker, which allows an attacker to inject arbitrary variables into the session and possibly exploit vulnerabilities in the unserializer.



For the vulnerability described by CVE-2010-1128 (predictable entropy for the Linear Congruential Generator used to generate session ids,) we do not consider upstream's solution to be sufficient. It is recommended to uncomment the 'session.entropy_file' and 'session.entropy_length' settings in the php.ini files. Further improvements can be achieved by setting 'session.hash_function' to 1 (one) and incrementing the value of 'session.entropy_length.'



For the stable distribution (lenny), these problems have been fixed in version 5.2.6.dfsg.1-1+lenny9.

For the testing distribution (squeeze) and the unstable distribution (sid), these problems will be fixed soon.



We recommend that you upgrade your php5 packages.