http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4850 curl/interface.c in the cURL library (aka libcurl) in PHP 5.2.4 and 5.2.5 allows context-dependent attackers to bypass safe_mode and open_basedir restrictions and read arbitrary files via a file:// request containing a \x00 sequence, a different vulnerability than CVE-2006-2563. Based on change logs, upstream fix is http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.33&r2=1.62.2.14.2.34&view=patch
NVD statement regarding this flaw and php packages shipped in Red Hat Enterprise Linux and Red Hat Application Stack is available on the url also mentioned in the initial comment - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4850: Official Statement from Red Hat (1/25/2008) We do not consider these to be security issues. For more details see http:bugzilla.redhat.combugzillashow_bug.cgi?id=169857#c1 and http:www.php.netsecurity-note.php There is currently not plan to backport a fix for this issue to Red Hat Enterprise Linux and Red Hat Application Stack php packages. For Fedora, this issue will most likely be fixed once next upstream release - 5.2.6 (not yet released upstream) - is uploaded to Fedora repositories.
Fedora packages are already updated to upstream version 5.2.6. *** This bug has been marked as a duplicate of 169857 ***