The Open SUSE group has released an update for a list of their software to bring their PHP4 and PHP5 packages up to date.

php5 was updated to version 5.2.5 to fix several security vulnerabilities. For php4 on SLES9 the patches were backported.

You can find out more about the issues corrected as well as links to the packages that have been updated in the advisory message.

As mentioned in this new security advisory from Avaya, there's a risk that the PHP version included with their Messaging systems could provide a hole for a would-be attacker to gain access.

Issues have been reported in the following:

• integer overflow vulnerabilities in the PHP gd extension
• integer overflow vulnerability in the PHP chunk_split function
• a security update has introduced a bug into PHP session cookie handling
• vulnerability in the PHP money_format function
• vulnerability in the PHP wordwrap function
• vulnerability in PHP session cookie handling
• vulnerability in the PHP gc extension

The advisory contains links to more information from RedHat on these issues and includes a list of systems effected as well as recommended actions to take.

The Red Hat linux group has issued an update for their PHP packages today:

Red Hat has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

You can get more information about this moderate level advisory from the Red Hat advisory including the affected products and the list of packages that should be updated to bring your installation up to date.

Via this Secunia advisory posted today, there's information about the update the Fedora Linux group has made to the PHP package included in their distribution. According to the release:

This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

The original advisory post has more details on what the update fixes as well as the link to download the RPM packages to update your system. You can either manually download them or use the "yum" system to handle things a bit more automatically.

On the Secunia site today, there's a new advisory posted for users of Red Hat linux - an update to the system's PHP packages.

Red Hat has issued an update for php. This fixes some vulnerabilities, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

The original advisory has more details on what the patch fixes and the checksum information for the update packages for all OSes.

As mentioned in this advisory on the Secunia website (reposted from the original advisory) the Fedora Linux group has posted an update for their PHP package to bring it up to date with the recent PHP 5.2.4 release.

Fedora has issued an update for php. This fixes a weakness and some vulnerabilities, where some have unknown impacts and others can be exploited by malicious users and malicious, local users to bypass certain security restrictions.

You can find the complete list of packages that were updated in their advisory posting and a brief mention of the easiest way for you to update your distribution (yum).

According to this new advisory on the Secunia website, rPath has updated more of their PHP packages and has marked the update as "moderately critical" to keeping your systems safe.

rPath has issued an update for multiple php packages. This fixes some vulnerabilities, where some have unknown impacts and others can be exploited by malicious, local users and malicious users to bypass certain security restrictions.

The original advisory has links to the updated versions and to references as to what has changed.

In its default configuration, rPath Linux 1 does not install php5 and is thus not vulnerable to these attacks; however, systems to which php5 has been added may be vulnerable to one or more of these attacks.

Secunia.com reports that multiple vulnerabilities have been found in the Joomla! content management system:

Some vulnerabilities have been reported in Joomla!, which can be exploited by malicious people to conduct session fixation attacks, cross-site scripting attacks or HTTP response splitting attacks.

The issues are marked as "less critical" but users should still update to the latest version to avoid these issues:

• Certain unspecified input passed in com_search, com_content and mod_login is not properly sanitised before being returned to a user
• Input passed to the "url" parameter is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers.
• An error exists in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.

See the original advisory post here.

Secunia.com has posted about the latest PHP package update for the Ubuntu linux distribution in a "highly critical" level update for relases 6.06, 6.10 and 7.04.

Ubuntu has issued an update for php. This fixes a vulnerability and a weakness, which can be exploited by malicious people to bypass certain security restrictions or potentially compromise a vulnerable system.

The post has links to all of the packages for every type of the distribution, including the architecture independent packages. Click on over and grab your update to bring your system up to date and safe.

Secunia has posted a vulnerability marked as "highly critical" for users of any of the Avaya products that use PHP:

Avaya has acknowledged some vulnerabilities in various Avaya products, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions and potentially by malicious people to compromise a vulnerable system.

The following products are affected:

• Avaya Communication Manager (CM 4.0 and CM 2.x prior to load 127.0)
• Avaya CCS/SES (CCS/SES 3.1.1)
• Avaya AES (AES 4.0)

Currently, according to the original announcement from Avaya, there are two issues that have been found and are able to be exploited - an issue with the xmlrpc extension and a problem with the ftp extension. Currently, there is no patch to correct these issues, but you can keep track of their current status via their entries