=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN072
_____________________________________________________________________

DATE                      : 01/03/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running PHP versions prior to 5.2.13.

======================================================================
http://www.php.net/releases/5_2_13.php
______________________________________________________________________


PHP 5.2.13 Release Announcement

The PHP development team would like to announce the immediate availability
of PHP 5.2.13. This release focuses on improving the stability of the PHP
5.2.x branch with over 40 bug fixes, some of which are security related.
All users of PHP 5.2 are encouraged to upgrade to this release.

Security Enhancements and Fixes in PHP 5.2.13:

    * Fixed safe_mode validation inside tempnam() when the directory
path does not end with a /). (Martin Jansen)
    * Fixed a possible open_basedir/safe_mode bypass in the session
extension identified by Grzegorz Stachowiak. (Ilia)
    * Improved LCG entropy. (Rasmus, Samy Kamkar)

Key enhancements in PHP 5.2.13 include:

    * Fixed bug #50940 Custom content-length set incorrectly in Apache
sapis. (Brian France, Rasmus)
    * Fixed bug #50847 (strip_tags() removes all tags greater then 1023
bytes long). (Ilia)
    * Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16). (Rob)
    * Fixed bug #50632 (filter_input() does not return default value if
the variable does not exist). (Ilia)
    * Fixed bug #50540 (Crash while running ldap_next_reference test cases).
(Sriram)
    * Fixed bug #49851 (http wrapper breaks on 1024 char long headers). (Ilia)
    * Over 30 other bug fixes.

For users upgrading from PHP 5.0 and PHP 5.1, an upgrade guide is available
here, detailing the changes between those releases and PHP 5.2.13.

For a full list of changes in PHP 5.2.13, see the ChangeLog.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================