CVE-2008-3660
Published: 14 August 2008
PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php.
Priority
Status
Package | Release | Status |
---|---|---|
php4 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
feisty |
Does not exist
|
|
gutsy |
Does not exist
|
|
hardy |
Does not exist
|
|
intrepid |
Does not exist
|
|
jaunty |
Does not exist
|
|
karmic |
Does not exist
|
|
upstream |
Needed
|
|
php5 Launchpad, Ubuntu, Debian |
dapper |
Released
(5.1.2-1ubuntu3.13)
|
feisty |
Ignored
(end of life, was needed)
|
|
gutsy |
Released
(5.2.3-1ubuntu6.5)
|
|
hardy |
Released
(5.2.4-2ubuntu5.5)
|
|
intrepid |
Released
(5.2.6-2ubuntu4.1)
|
|
jaunty |
Not vulnerable
(5.2.6.dfsg.1-3ubuntu2)
|
|
karmic |
Not vulnerable
(5.2.6.dfsg.1-3ubuntu2)
|
|
upstream |
Needed
|
|
Patches: vendor: http://www.debian.org/security/2008/dsa-1647 vendor: http://patch-tracking.debian.net/patch/series/view/php5/5.2.0-8+etch13/141-CVE-2008-3660.patch upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch |