CVE-2012-0788

Published: 20 January 2012

The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server.

Priority

Status

Package	Release	Status
php5 Launchpad, Ubuntu, Debian	upstream	Released (5.3.9)
	hardy	Released (5.2.4-2ubuntu5.22)
	lucid	Released (5.3.2-1ubuntu4.13)
	maverick	Released (5.3.3-1ubuntu9.9)
	natty	Released (5.3.5-1ubuntu7.6)
	oneiric	Released (5.3.6-13ubuntu3.5)
	Patches: upstream: http://svn.php.net/viewvc?view=revision&revision=317272

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0788
http://openwall.com/lists/oss-security/2012/01/20/3
https://ubuntu.com/security/notices/USN-1358-1
NVD
Launchpad
Debian

Bugs

https://bugs.php.net/bug.php?id=55776

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›