Upgrade Apache & PHP

By | 4 February 2008

Saat ini kami telah mengupgrade Apache dan PHP di server machine04.
Changes with Apache 1.3.41

*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox]

Changes with Apache 1.3.40 (not released)

*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
[Joe Orton]

*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
With Apache 1.3, the denial of service vulnerability applies only
to the Windows and NetWare platforms.
[Jeff Trawick]

*) More efficient implementation of the CVE-2007-3304 PID table
patch. This fixes issues with excessive memory usage by the
parent process if long-running and with a high number of child
process forks during that timeframe. Also fixes bogus “Bad pid”
errors. [Jim Jagielski, Jeff Trawick]

Security Enhancements and Fixes in PHP 4.4.8:

  • Improved fix for MOPB-02-2007.
  • Fixed an integer overflow inside chunk_split(). Identified by Gerhard Wagner.
  • Fixed integer overlow in str[c]spn().
  • Fixed regression in glob when open_basedir is on introduced by #41655 fix.
  • Fixed money_format() not to accept multiple %i or %n tokens.
  • Addded “max_input_nesting_level” php.ini option to limit nesting level of input variables. Fix for MOPB-03-2007.
  • Fixed INFILE LOCAL option handling with MySQL – now not allowed when open_basedir or safe_mode is active.
  • Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378).

For a full list of changes in PHP 4.4.8, see the ChangeLog.