Subject: CVS commit: pkgsrc/www/php4
To: None <pkgsrc-changes@NetBSD.org>
From: Adrian Portelli <adrianp@netbsd.org>
List: pkgsrc-changes
Date: 05/06/2007 19:50:18
Module Name: pkgsrc
Committed By: adrianp
Date: Sun May 6 19:50:18 UTC 2007
Modified Files:
pkgsrc/www/php4: Makefile Makefile.common distinfo
Removed Files:
pkgsrc/www/php4/patches: patch-ae
Log Message:
Update to 4.4.7
* Fixed CVE-2007-1001, GD wbmp used with invalid image size (by Ivan Fratric)
* Fixed asciiz byte truncation inside mail() (MOPB-33 by Stefan Esser)
* Fixed a bug in mb_parse_str() that can be used to activate register_globals
(MOPB-26 by Stefan Esser)
* Fixed unallocated memory access/double free in in array_user_key_compare()
(MOPB-24 by Stefan Esser)
* Fixed a double free inside session_regenerate_id() (MOPB-22 by Stefan Esser)
* Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers.
(MOPB-21 by Stefan Esser).
* Limit nesting level of input variables with max_input_nesting_level as fix for
(MOPB-03 by Stefan Esser)
* Fixed CRLF injection inside ftp_putcmd(). (by loveshell[at]Bug.Center.Team)
* Fixed a possible super-global overwrite inside import_request_variables().
(by Stefano Di Paola, Stefan Esser)
* Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc
library. (by Stanislav Malyshev)
* XSS in phpinfo() (MOPB-8 by Stefan Esser)
To generate a diff of this commit:
cvs rdiff -r1.76 -r1.77 pkgsrc/www/php4/Makefile
cvs rdiff -r1.55 -r1.56 pkgsrc/www/php4/Makefile.common
cvs rdiff -r1.64 -r1.65 pkgsrc/www/php4/distinfo
cvs rdiff -r1.7 -r0 pkgsrc/www/php4/patches/patch-ae
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.