December 2009


MySQL released version 5.0.89

MySQL released new versions of the 5.0.x community version of their database server. There were no security issue releated to this release so if you are not affected I would not advise you to upgrade. I’ve upgraded all my servers without any issue following the normal upgrade path as documented.

Read more about the specifics for this release here: Changes in MySQL 5.0.89

PHP updated to 5.2.12

The PHP development team have released PHP 5.2.12. This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release. The security enhancements and fixes in PHP 5.2.12 are:

  • Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
  • Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
  • Added “max_file_uploads” INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
  • Added protection for $_SESSION from interrupt corruption and improved “session.save_path” check, identified by Stefan Esser. (CVE-2009-4143, Stas)
  • Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)

For instructions on how to upgrade PHP please read: Upgrading PHP.

Dovecot updated to 1.2.9

Timo released another bugfix to Dovecot, he hopes it will last for the next few months. I guess he needs more time for the 2.x release which is coming along nicely. Bugs fixed in this issue are:

  • maildir: When saving, filenames now always contain ,S=. Previously this was done only when quota plugin was loaded. It’s required for zlib plugin and may be useful for other things too.
  • lazy-expunge: Support a single-namespace configuration. If a mailbox is deleted, its messages are merged with its old expunged messages (if there were any).
  • expire: Settings now support spaces in mailbox names by using quoted strings.
  • maildir: v1.2.7 and v1.2.8 caused assert-crashes in maildir_uidlist_records_drop_expunges()
  • maildir_copy_preserve_filename=yes could have caused crashes.
  • Maildir++ quota: % limits weren’t updated when limits were read from maildirsize.
  • virtual: v1.2.8 didn’t fully fix the “lots of mailboxes” bug
  • virtual: Fixed updating virtual mailbox based on flag changes.
  • fts-squat: Fixed searching multi-byte characters.