Saat ini kami telah mengupgrade Apache dan PHP di server machine04.
Changes with Apache 1.3.41
*) SECURITY: CVE-2007-6388 (cve.mitre.org)
mod_status: Ensure refresh parameter is numeric to prevent
a possible XSS attack caused by redirecting to other URLs.
Reported by SecurityReason. [Mark Cox]
Changes with Apache 1.3.40 (not released)
*) SECURITY: CVE-2007-5000 (cve.mitre.org)
mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
[Joe Orton]
*) SECURITY: CVE-2007-3847 (cve.mitre.org)
mod_proxy: Prevent reading past the end of a buffer when parsing
date-related headers. PR 41144.
With Apache 1.3, the denial of service vulnerability applies only
to the Windows and NetWare platforms.
[Jeff Trawick]
*) More efficient implementation of the CVE-2007-3304 PID table
patch. This fixes issues with excessive memory usage by the
parent process if long-running and with a high number of child
process forks during that timeframe. Also fixes bogus “Bad pid”
errors. [Jim Jagielski, Jeff Trawick]
Security Enhancements and Fixes in PHP 4.4.8:
- Improved fix for MOPB-02-2007.
- Fixed an integer overflow inside chunk_split(). Identified by Gerhard Wagner.
- Fixed integer overlow in str[c]spn().
- Fixed regression in glob when open_basedir is on introduced by #41655 fix.
- Fixed money_format() not to accept multiple %i or %n tokens.
- Addded “max_input_nesting_level” php.ini option to limit nesting level of input variables. Fix for MOPB-03-2007.
- Fixed INFILE LOCAL option handling with MySQL – now not allowed when open_basedir or safe_mode is active.
- Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378).
For a full list of changes in PHP 4.4.8, see the ChangeLog.
