* Thomas Hochstein: > Allard Hoeve <[EMAIL PROTECTED]> wrote on 13 Apr 2006: > >> Please take note of bugs: >> >> - #361853: [CVE-2006-0996] phpinfo() Cross Site Scripting >> - #361855: [CVE-2006-1494] tempnam() open_basedir bypass >> - #361856: [CVE-2006-1608] copy() Safe Mode Bypass > > I wonder why there was no DSA at all for php4 (or php5) in 2006, > though upstream released PHP 4.4.3 and 4.4.4 containing security > fixes...
Do you know of any vulnerability which can be exploited on its own, without relying on buggy PHP scripts on the server (or the ability to upload your own PHP scripts)? Such an issue should be fixed ASAP. Note that PHP in sarge is still at the 4.3 branch, which was discontinued upstream quite some time ago. Backporting the fixes is not exactly trivial. It's sad that so many useful web applications are written in PHP. 8-( -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
