Advisory : buffer overflow in php5-suhosin

A few days ago, Stefan Esser discovered a buffer overflow in the “transparent cookie encryption stack” of the Suhosin extension. Here is the full advisory.

If you previously installed the php5-suhosin package, you should upgrade to its fixed new version (0.9.33) by running :

apt-get update
apt-get install --reinstall php5-suhosin

Percona toolkit 2.0.2

A few days ago, Percona has released a major version of their Percona toolkit (formerly named Maatkit), bringing a lot of improvements, especially on pt-table-checksum. Baron Schwartz wrote a post about it.

Percona toolkit 2.0.2 is now available on Dotdeb for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
  • both amd64 and i386 architectures

Redis 2.4.6

Redis 2.4.6 has been released with these changes :

  • [BUGFIX] Fixed issue #141 part 1: Possible protocol desyncs when clients send wrong protocol is now fixed. (See issue 141 for more details)
  • [BUGFIX] Fixed issue #141 part 2: Connection of multiple slaves used to result from time to time into corrupted protocol send to slaves connected after the first one. (See issue 141 for more details)
  • [BUGFIX] Do not propagate DEBUG LOADAOF.
  • New INFO contains information such as ip/port/state for every conneced slave.
  • Show GCC version in INFO output.
The packages of Redis 2.4.6 are now available for Debian 6.0 “Squeeze” on both amd64 and i386 architectures.

PHP 5.3.9

On january 10th 2012, the PHP group has released PHP 5.3.9, that brings over 90 bug fixes, some of which are security related :

Security Enhancements and Fixes in PHP 5.3.9:

  • Added max_input_vars directive to prevent attacks based on hash collisions. (CVE-2011-4885)
  • Fixed bug #60150 (Integer overflow during the parsing of invalid exif header). (CVE-2011-4566)

Key enhancements in PHP 5.3.9 include:

  • Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to is_a and is_subclass_of).
  • Fixed bug #55609 (mysqlnd cannot be built shared)
  • Many changes to the FPM SAPI module

PHP 5.3.9 is now available on Dotdeb for :

  • both Debian 6.0 “Squeeze” and Debian 5.0 “Lenny”
  • both amd64 and i386 architectures

As usual, please read the ChangeLog before upgrading and be sure to use to the latest packages before reporting any issue.

[edit] the packages have been updated to fix some Suhosin- and strtotime()-related issues. You really should upgrade at least :

  • to 5.3.9-0~dotdeb.3 if you’re running Squeeze
  • to 5.3.9-0~dotdeb.2 if you’re running Lenny