Date: Thu, 2 Feb 2012 17:21:33 GMT From: Hilko Meyer <hilko.meyer@gmx.de> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/164712: security/php-suhosin 0.9.33 available with fix for a possible stack buffer overflow Message-ID: <201202021721.q12HLXUf061436@red.freebsd.org> Resent-Message-ID: <201202021730.q12HUCw8052876@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 164712 >Category: ports >Synopsis: security/php-suhosin 0.9.33 available with fix for a possible stack buffer overflow >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Feb 02 17:30:11 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Hilko Meyer >Release: >Organization: >Environment: >Description: Hi, suhosin 0.9.33 was recently released. They found a possible security problem which is not in the default configuration. Advisory: http://seclists.org/fulldisclosure/2012/Jan/295 Changelog: http://www.hardened-php.net/suhosin/changelog.html 2012.01.19: Version 0.9.33 Make clear that suhosin is incompatible to mbstring.encoding_translation=On Stop mbstring extension from replacing POST handlers Added detection of extensions manipulating POST handlers Fixed environment variables for logging do not go through the filter extension anymore Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory) Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers Removed crypt() support - because not used for PHP >= 5.3.0 anyway >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201202021721.q12HLXUf061436>