Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 18 Jun 2015 11:22:38 +0200
From: Tomas Hoger <>
Subject: PHP 5.6.10 / 5.5.26 / 5.4.42 CVE request


PHP 5.6.10 / 5.5.26 / 5.4.42 releases fix few issues tagged as security
in upstream bug tracker:

Fixed bug #69646 (OS command injection vulnerability in escapeshellarg).;a=commitdiff;h=d2ac264ffea5ca2e85640b6736e0c7cd4ee9a4a9
(Windows specific)

Imroved fix for bug #69545 (Integer overflow in ftp_genlist() resulting
in heap overflow).;a=commitdiff;h=0765623d6991b62ffcd93ddb6be8a5203a2fa7e2
(#69545 was originally fixed in 5.4.41 / 5.5.25 / 5.6.9 and got
CVE-2015-4022, but the fix was found to be incomplete, as explained in
the upstream bug)

Fixed bug #69719 (Incorrect handling of paths with NULs).;a=commitdiff;h=8fc52d77d6f66c438c98d536e2309b5fd13f90de
(This already got CVE-2015-4598 assigned in

Fixed bug #69667 (segfault in php_pgsql_meta_data).;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64
(Not security bug upstream, but we found this when testing updates with
fixes for CVE-2015-1352.  I believe the original issue that got
CVE-2015-1352 is not considered security by upstream either, so just
noting this for completeness.)

Tomas Hoger / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.