If you're running MediaWiki on a 32-bit platform, you should upgrade to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux distribution which includes a fix for CVE-2010-4645. If you run MediaWiki on a 32-bit platform with an earlier version of PHP, you will be vulnerable to a denial-of-service vulnerability.
CVE-2010-4645 is a vulnerability which causes the conversion from a string to a floating-point number to take forever, for certain special strings. PHP's weak typing means that such conversion can take place implicitly, for example in code like "$string > 0". I can confirm that MediaWiki has modules which will convert user input to a floating-point number. Conversion can be triggered by an attacker with no special privileges.
PHP release announcement: http://www.php.net/archive/2011.php#id2011-01-06-1
Updated Ubuntu packages: http://www.ubuntu.com/usn/usn-1042-1
-- Tim Starling
On Thu, 13 Jan 2011, Tim Starling wrote:
If you're running MediaWiki on a 32-bit platform, you should upgrade to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux distribution which includes a fix for CVE-2010-4645. If you run MediaWiki on a 32-bit platform with an earlier version of PHP, you will be vulnerable to a denial-of-service vulnerability.
Debian users might want to consider the dotdeb versions:
http://www.dotdeb.org/instructions/
On Lenny, this will upgrade you from PHP 5.2 to PHP 5.3 which may be a compatibility issue for other software. (And I'm guessing the list admins would rather we not discuss PHP upgrade headaches here).
mediawiki-l@lists.wikimedia.org