Security : PHP 5.4.3 and PHP 5.3.13

Posted by & filed under PHP.

PHP 5.4.3 and PHP 5.3.13 have been released by the PHP development team to fix some critical security issues : Source code disclosure with a trivial request (CVE-2012-1823 and CVE-2012-2311) –  PHP 5.4 and 5.3 are vulnerable buffer overflow in apache_request_headers() (CVE-2012-2329) – only PHP 5.4 is vulnerable. If you’re using the CGI flavor of PHP, upgrading… Read more »

MySQL 5.5.24

Posted by & filed under MySQL.

The packages of MySQL 5.5.24 are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. It fixes an undisclosed security issue (thanks Oracle) and some other bugs as well. As usual, please read carefully the full Changelog before upgrading. Note : the packages have been updated to include a missing init script. Sorry… Read more »

Security update : MySQL 5.1.62

Posted by & filed under MySQL.

MySQL 5.1.62 packages are now available for Debian 6.0 “Squeeze” on amd64 and i386 architectures. This is a important security update that fixes unspecified vulnerabilities identified by Oracle in all versions of MySQL 5.1 earlier than 5.1.62. If you did not upgrade to MySQL 5.5, please consider upgrading your MySQL server (at least) to 5.1.62…. Read more »

Redis 2.4.13

Posted by & filed under Redis.

Redis 2.4.13 has been released to fix a critical bug in KEYS command : [BUGFIX] Fix for KEYS command: if the DB contains keys with expires the KEYS command may return the wrong output, having duplicated or missing keys. See issue #487 and #488 on github for details. The packages are now available for Debian… Read more »

Nginx 1.2.0 with Naxsi 0.45 and Passenger 3.0.12

Posted by & filed under Nginx.

Dotdeb’s packages of the long-awaited Nginx 1.2.0 are now available for Debian 6.0 “Squeeze” (amd64/i386) in five flavors : nginx-light, nginx-naxsi, nginx-full, nginx-passenger and nginx-extras. This is a major release with a lot of improvements since the former 1.0 branch. Please take a look at Nginx’ official Changelog before upgrading. On the Dotdeb side : Naxsi,… Read more »

Security : Nginx 1.0.15

Posted by & filed under Nginx.

Nginx 1.0.15 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a buffer overflow in the ngx_http_mp4_module : Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley…. Read more »

Security : Nginx 1.0.14

Posted by & filed under Nginx.

Nginx 1.0.14 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a potential memory disclosure : Security: content of previously freed memory might be sent to a client if backend returned specially crafted response. Thanks to Matthew Daley. Upgrading is strongly recommended.

Security update : MySQL 5.1.61

Posted by & filed under MySQL.

MySQL 5.1.61 packages are now available for Debian 6.0 “Squeeze” on amd64 and i386 architectures. This is a very important security update that fixes unspecified vulnerabilities identified by Oracle in all versions of MySQL 5.1 earlier than 5.1.61. If you did not upgrade to MySQL 5.5, please consider upgrading your MySQL server (at least) to… Read more »

Security update : PHP 5.3.10

Posted by & filed under PHP.

A few hours ago, PHP 5.3.10 has been released by the PHP Group. It’s an important security update for PHP 5.3.9 users : Stefan Esser discovered a remotely exploitable bug, introduced with PHP 5.3.9’s max_input_vars directive (CVE-2012-0830). You really should upgrade as soon as possible. Packages of PHP 5.3.10 are now available for : both Debian… Read more »

Advisory : buffer overflow in php5-suhosin

Posted by & filed under PHP.

A few days ago, Stefan Esser discovered a buffer overflow in the “transparent cookie encryption stack” of the Suhosin extension. Here is the full advisory. If you previously installed the php5-suhosin package, you should upgrade to its fixed new version (0.9.33) by running : apt-get update apt-get install –reinstall php5-suhosin