Debian: DSA-021-2 Urgent: PHP5 Remote Exploit DoS Threat

The Zend people have found a vulnerability in older versions of PHP4
(the original advisory speaks of 4.0.4 while the bugs are present in
4.0.3 as well). It is possible to specify PHP directives on a
per-directory basis which leads to a remote attacker crafting an HTTP
request that would cause the next page to be served with the wrong
values for these directives. Also even if PHP is installed, it can be
activated and deactivated on a per-directory or per-virtual host basis
using the "engine=on" or "engine=off" directive. This setting can be
leaked to other virtual hosts on the same machine, effectively
disabling PHP for those hosts and resulting in PHP source code being
sent to the client instead of being executed on the server.

We recommend you upgrade your php4 packages.

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 2.2 al...