Gentoo Linux Security Advisory 201001-3 - Multiple vulnerabilities were found in PHP, the worst of which leading to the remote execution of arbitrary code. Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below and the associated PHP release notes for details. Versions less than 5.2.12 are affected.
aff1f9bdb3800d54675a65671b47a6ba413ece16b6ab47e89279c16cfaa490a7
Debian Security Advisory 1789-1 - Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor.
100a5040d4193726e6aaec8b6a7e78375f9a96e618e105219e44df555dd8498e
Ubuntu Security Notice USN-761-1 - It was discovered that PHP did not sanitize certain error messages when display_errors is enabled, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. It was discovered that PHP did not properly handle the mbstring.func_overload setting within .htaccess files when using virtual hosts. A virtual host administrator could use this flaw to cause settings to be applied to other virtual hosts on the same server. It was discovered that PHP did not properly handle certain malformed strings when being parsed by the json_decode function. A remote attacker could exploit this flaw and cause the PHP server to crash, resulting in a denial of service. This issue only affected Ubuntu 8.04 and 8.10.
a395489f8192730cf1245537c3a3b1a0804639245e2d8915b403959163756996
Mandriva Linux Security Advisory 2009-066 - PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within.htaccess, which causes this setting to be applied to other virtual hosts on the same server. The updated packages have been patched to correct these issues.
ca933f1a927d0df3b27c6a1b7eeda71f826379ed09c2498ed13db80970312993
Mandriva Linux Security Advisory 2009-065 - A vulnerability in the cURL library in PHP allowed context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files using a special URL request. Improved mbfl_filt_conv_html_dec_flush() error handling in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c. PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within.htaccess, which causes this setting to be applied to other virtual hosts on the same server. The updated packages have been patched to correct these issues.
81600b7210442d8910e0548f3b3b74df0d0b40a044f36901a7a75ad77feb28fc