Categories
PHP

Security : PHP 5.4.3 and PHP 5.3.13

PHP 5.4.3 and PHP 5.3.13 have been released by the PHP development team to fix some critical security issues :

  • Source code disclosure with a trivial request (CVE-2012-1823 and CVE-2012-2311) –  PHP 5.4 and 5.3 are vulnerable
  • buffer overflow in apache_request_headers() (CVE-2012-2329) – only PHP 5.4 is vulnerable.

If you’re using the CGI flavor of PHP, upgrading is highly recommended. You can see more info on PHP’s website and on this useful blog post.

Packages of PHP 5.4.3 and PHP 5.3.13 are available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. Please also note that they fix the error logging features of PHP-FPM.

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

Categories
MySQL

MySQL 5.5.24

The packages of MySQL 5.5.24 are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. It fixes an undisclosed security issue (thanks Oracle) and some other bugs as well.

As usual, please read carefully the full Changelog before upgrading.

Note : the packages have been updated to include a missing init script. Sorry for the mess.

Categories
MySQL

Security update : MySQL 5.1.62

MySQL 5.1.62 packages are now available for Debian 6.0 “Squeeze” on amd64 and i386 architectures.

This is a important security update that fixes unspecified vulnerabilities identified by Oracle in all versions of MySQL 5.1 earlier than 5.1.62. If you did not upgrade to MySQL 5.5, please consider upgrading your MySQL server (at least) to 5.1.62.

FYI, CVE list is as follows :

The corresponding Pinba storage engine has also been rebuilt.

And, as usual, please read the Changelog before upgrading.

Categories
Redis

Redis 2.4.13

Redis 2.4.13 has been released to fix a critical bug in KEYS command :

  • [BUGFIX] Fix for KEYS command: if the DB contains keys with expires the KEYS command may return the wrong output, having duplicated or missing keys. See issue #487 and #488 on github for details.

The packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. Upgrading is strongly advised.

Categories
Nginx

Nginx 1.2.0 with Naxsi 0.45 and Passenger 3.0.12

Dotdeb’s packages of the long-awaited Nginx 1.2.0 are now available for Debian 6.0 “Squeeze” (amd64/i386) in five flavors : nginx-light, nginx-naxsi, nginx-full, nginx-passenger and nginx-extras.

This is a major release with a lot of improvements since the former 1.0 branch. Please take a look at Nginx’ official Changelog before upgrading.

On the Dotdeb side :

  • Naxsi, a high performance, low rules maintenance, Web Application Firewall module, has been upgraded to its 0.45 version. Please read its documentation fore more info.
  • Passenger has been upgraded to its 3.0.12 version.
  • Because nginx-passenger is now dedicated to Passenger, nginx-extras does not contain it anymore. Don’t forget to backup your configuration files when switching from nginx-extras to nginx-passenger.

If you want to know which module has been included in each Nginx flavor, you just have to look at this useful document.

Categories
Nginx

Security : Nginx 1.0.15

Nginx 1.0.15 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a buffer overflow in the ngx_http_mp4_module :

  • Security: specially crafted mp4 file might allow to overwrite memory locations in a worker process if the ngx_http_mp4_module was used, potentially resulting in arbitrary code execution (CVE-2012-2089). Thanks to Matthew Daley.
  • Bugfix: in the ngx_http_mp4_module.

Upgrading is recommended if you’re using the nginx-extras packages.

Categories
Nginx

Security : Nginx 1.0.14

Nginx 1.0.14 packages are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures. They fix a potential memory disclosure :

  • Security: content of previously freed memory might be sent to a client if backend returned specially crafted response. Thanks to Matthew Daley.

Upgrading is strongly recommended.

Categories
MySQL

Security update : MySQL 5.1.61

MySQL 5.1.61 packages are now available for Debian 6.0 “Squeeze” on amd64 and i386 architectures.

This is a very important security update that fixes unspecified vulnerabilities identified by Oracle in all versions of MySQL 5.1 earlier than 5.1.61. If you did not upgrade to MySQL 5.5, please consider upgrading your MySQL server (at least) to 5.1.61.

FYI, CVE list is as follows :

The corresponding Pinba storage engine has also been rebuilt.

And, as usual, please read the Changelog before upgrading.

Categories
PHP

Security update : PHP 5.3.10

A few hours ago, PHP 5.3.10 has been released by the PHP Group. It’s an important security update for PHP 5.3.9 users : Stefan Esser discovered a remotely exploitable bug, introduced with PHP 5.3.9’s max_input_vars directive (CVE-2012-0830). You really should upgrade as soon as possible.

Packages of PHP 5.3.10 are now available for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”,
  • both amd64 and i386 architectures.

(Lenny packages will be available on php53.dotdeb.org during two weeks before being migrated to archives.dotdeb.org because of the end of Lenny’s security support)

Categories
PHP

Advisory : buffer overflow in php5-suhosin

A few days ago, Stefan Esser discovered a buffer overflow in the “transparent cookie encryption stack” of the Suhosin extension. Here is the full advisory.

If you previously installed the php5-suhosin package, you should upgrade to its fixed new version (0.9.33) by running :

apt-get update
apt-get install --reinstall php5-suhosin