From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Feb 2 17:30:12 2012 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA8F01065675 for ; Thu, 2 Feb 2012 17:30:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 992EE8FC18 for ; Thu, 2 Feb 2012 17:30:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q12HUCt1052877 for ; Thu, 2 Feb 2012 17:30:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q12HUCw8052876; Thu, 2 Feb 2012 17:30:12 GMT (envelope-from gnats) Resent-Date: Thu, 2 Feb 2012 17:30:12 GMT Resent-Message-Id: <201202021730.q12HUCw8052876@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Hilko Meyer Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2EB31065672 for ; Thu, 2 Feb 2012 17:21:33 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id AD6418FC12 for ; Thu, 2 Feb 2012 17:21:33 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q12HLXrF061443 for ; Thu, 2 Feb 2012 17:21:33 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q12HLXUf061436; Thu, 2 Feb 2012 17:21:33 GMT (envelope-from nobody) Message-Id: <201202021721.q12HLXUf061436@red.freebsd.org> Date: Thu, 2 Feb 2012 17:21:33 GMT From: Hilko Meyer To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: ports/164712: security/php-suhosin 0.9.33 available with fix for a possible stack buffer overflow X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Feb 2012 17:30:12 -0000 >Number: 164712 >Category: ports >Synopsis: security/php-suhosin 0.9.33 available with fix for a possible stack buffer overflow >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Feb 02 17:30:11 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Hilko Meyer >Release: >Organization: >Environment: >Description: Hi, suhosin 0.9.33 was recently released. They found a possible security problem which is not in the default configuration. Advisory: http://seclists.org/fulldisclosure/2012/Jan/295 Changelog: http://www.hardened-php.net/suhosin/changelog.html 2012.01.19: Version 0.9.33 Make clear that suhosin is incompatible to mbstring.encoding_translation=On Stop mbstring extension from replacing POST handlers Added detection of extensions manipulating POST handlers Fixed environment variables for logging do not go through the filter extension anymore Fixed stack based buffer overflow in transparent cookie encryption (see separate advisory) Fixed that disabling HTTP response splitting protection also disabled NUL byte protection in HTTP headers Removed crypt() support - because not used for PHP >= 5.3.0 anyway >How-To-Repeat: >Fix: >Release-Note: >Audit-Trail: >Unformatted: