The blowfish password hashing implementation did not
properly handle 8-characters in passwords, which made it
easier for attackers to crack the hash (CVE-2011-2483).
After this update existing hashes with id "$2a$" for
passwords that contain 8-bit characters will no longer be
compatible with newly generated hashes. Affected users will
either have to change their password to store a new hash or
the id of the existing hash has to be manually changed to
"$2x$" in order to activate a compat mode. Please see the
description of the CVE-2011-2483 glibc update for details.
File uploads could potentially overwrite files owned by the
user running php (CVE-2011-2202).
A long salt argument to the crypt function could cause a
buffer overflow (CVE-2011-3268)
Incorrect implementation of the error_log function could
crash php (CVE-2011-3267)
- Submitted by Adrian Schröter (adrianSuSE)
- Version 5113