4.143. php

Updated php packages that fix one security issue are now available for Red Hat Enterprise Linux 4, 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Security Fix

It was discovered that the fix for CVE-2011-4885 (released via RHSA-2012:0071, RHSA-2012:0033, and RHSA-2012:0019 for php packages in Red Hat Enterprise Linux 4, 5, and 6 respectively) introduced an uninitialized memory use flaw. A remote attacker could send a specially-crafted HTTP request to cause the PHP interpreter to crash or, possibly, execute arbitrary code.
All php users should upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the updated packages, the httpd daemon must be restarted for the update to take effect.
Updated php packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.

Bug Fixes

PNG files in certain formats, which were loaded with the "gd" extension, were displayed incorrectly. This update adds support for such files and the files are now loaded correctly.
Connecting to an Internet Message Access Protocol (IMAP) service could fail with the following error message:
PHP Warning: imap_open(): Couldn't open stream
This happened if the server advertised support for Kerberos authentication, but the client was not configured to use Kerberos. This update adds the DISABLE_AUTHENTICATOR option for the imap_open() function, which allows to disable a specific authentication method.
A PHP script that is using the ODBC interfaces could enter a deadlock if the maximum execution time period expires while it is executing an SQL statement. This occurs because the execution timer uses a signal and the invoked ODBC functions are not reentrant. This update modifies the underlying code so the deadlock is less likely to occur.
Previously, the PHP mktime() function and some daytime functions were limited to 32-bit time stamps on 64-bit platforms due to a build configuration error. This update fixes the error and allows the use of 64-bit time stamps on 64-bit platforms.
If a prepared statement was unset when using PostgreSQL through the PHP Data Objects (PDO) interface, the current transaction was aborted. This caused subsequent SQL queries in the transaction to fail. With this update, the prepared statement is unset correctly and subsequent queries work as expected.
If a negative array index value was sent to the var_export() function, the function returned an unsigned index ID. With this update, the function has been modified to process negative array index values correctly.


The php package description has been improved.
All php users are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.