PublicDateAtUSN: 2009-11-23
Candidate: CVE-2009-4017
PublicDate: 2009-11-24 00:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017
 https://ubuntu.com/security/notices/USN-862-1
Description:
 PHP before 5.2.12 and 5.3.x before 5.3.1 does not restrict the number of
 temporary files created when handling a multipart/form-data POST request,
 which allows remote attackers to cause a denial of service (resource
 exhaustion), and makes it easier for remote attackers to exploit local file
 inclusion vulnerabilities, via multiple requests, related to lack of
 support for the max_file_uploads directive.
Ubuntu-Description:
Notes:
 mdeslaur> introduces a new option
Bugs:
 http://bugs.gentoo.org/show_bug.cgi?id=293888
Priority: medium
Discovered-by:
Assigned-to:
CVSS: 

Patches_php5:
 upstream: http://svn.php.net/viewvc?view=revision&revision=289990
 upstream: http://svn.php.net/viewvc?view=revision&revision=290029
 upstream: http://svn.php.net/viewvc?view=revision&revision=290306
upstream_php5: released (5.3.1)
dapper_php5: released (5.1.2-1ubuntu3.17)
hardy_php5: released (5.2.4-2ubuntu5.9)
intrepid_php5: released (5.2.6-2ubuntu4.5)
jaunty_php5: released (5.2.6.dfsg.1-3ubuntu4.4)
karmic_php5: released (5.2.10.dfsg.1-2ubuntu6.3)
devel_php5: released (5.2.11.dfsg.1-2ubuntu1)