On Sat, May 5, 2012 20:49, Adam D. Barratt wrote: > On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote: >> > For some reason I had it in my head that 5.4.2 was the upstream >> version >> > with the fixed fix rather than the not-quite fixed fix. >> >> I think this is the case (e.g. 5.4.2 is the fixed version). > > I assume Thijs was referring to CVE-2012-2311, which covers the fix in > 5.4.2 being incomplete.
PHP 5.4.2 does not fix the issue. Please see: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html https://twitter.com/i0n1c/status/198158078913417216 Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
