Say what you want about the ethics of the "month of bugs" phenomenon, these vulnerability disclosure projects are getting immediate -- and valuable -- results.
On the heels of Apple, Microsoft and others patching serious holes exposed during month-of-bugs projects, the PHP Group has released PHP 4.4.7 with fixes for seven security vulnerabilities discussed in Stefan Esser's month of PHP bugs.
During the month of March, Esser released details -- and exploit code where applicable -- for a total of 45 potentially serious vulnerabilities in the open-source scripting language.
At the time, Esser said he was motivated by the PHP Group's blasé approach to confirming and fixing exploitable flaws but, from the look of things, the PHP development team was paying close attention to Esser's disclosures.
The eight month of PHP bugs issues covered by PHP 4.4.7 are:
- Fixed asciiz byte truncation inside mail() -- (MOPB-33)
- Fixed a bug in mb_parse_str() that can be used to activate register_globals -- (MOPB-26)
- Fixed unallocated memory access/double free in in array_user_key_compare() -- (MOPB-24)
- Fixed a double free inside session_regenerate_id() -- (MOPB-22)
- Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers -- (MOPB-21)
- Limit nesting level of input variables with max_input_nesting_level as fix for (MOPB-03)
- XSS in phpinfo() -- (MOPB-8)
"While majority of the issues outlined above are local, few issues such as the XML-RPC overflows can be triggered remotely and therefor should be considered critical. If you use the XML-RPC extension consider upgrading as soon as possible," the PHP development team said.
Ubuntu and Debian have both issued new PHP packages to incorporate fixes for Esser's vulnerabilities.