I got an e-mail announcing PHP 4.3.11-2.8 for Fedora Core 3, which fixes the following:
(copy/paste)
---------------------------------------------------------------------
Update Information:
This update includes several security fixes:
- fixes for prevent malicious requests from overwriting the
GLOBALS array (CVE-2005-3390)
- a fix to stop the parse_str() function from enabling the
register_globals setting (CVE-2005-3389)
- fixes for Cross-Site Scripting flaws in the phpinfo()
output (CVE-2005-3388)
- a fix for a denial of service (process crash) in EXIF
image parsing (CVE-2005-3353)
---------------------------------------------------------------------
* Fri Nov 4 2005 Joe Orton <jorton@redhat.com> 4.3.11-2.8
- add security fixes from upstream:
* XSS issues in phpinfo() (CVE-2005-3388, #172212)
* GLOBALS handling (CVE-2005-3390, #172207)
* parse_str() enabling register_globals (CVE-2005-3389, #172209)
* exif: infinite recursion on corrupt JPEG (CVE-2005-3353)
---------------------------------------------------------------------
Is the current ART release of php affected by the security issues or are these already resolved in php 4.4 which ART is carrying at the moment?
