Fedora Legacy Update Advisory FLSA:175040 - Updated PHP packages that fix multiple security issues are now available.
6382666dcf9fb13011c3abaf40247e5cf18929705785e0aa4c1dd3b68c33de2b
Ubuntu Security Notice USN-261-1 - Stefan Esser discovered that the 'session' module did not sufficiently verify the validity of the user-supplied session ID. A remote attacker could exploit this to insert arbitrary HTTP headers into the response sent by the PHP application, which could lead to HTTP response splitting and cross site scripting attacks. PHP applications were also vulnerable to several cross site scripting flaws if the options 'display_errors' and 'html_errors' were enabled. Please note that enabling 'html_errors' is not recommended for production systems.
016844a2172c42aa6db55405377b83f5dbaca538a695f0629958e21295374915
Mandriva Linux Security Advisory - Multiple response splitting vulnerabilities in PHP allow remote attackers to inject arbitrary HTTP headers via unknown attack vectors, possibly involving a crafted Set-Cookie header, related to the session extension (aka ext/session) and the header function. Multiple cross-site scripting (XSS) vulnerabilities in PHP allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in certain error conditions.
c98385883dccd198b6d3864905ce4577e8f33952b37da51c5c40bcbe9a83eb70