Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDKSA-2006:074 ] - Updated php packages address multiple vulnerabilities.
From: security () mandriva com
Date: Mon, 24 Apr 2006 15:38:56 -0600


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:074
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : php
 Date    : April 24, 2006
 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A cross-site scripting (XSS) vulnerability in phpinfo (info.c) in PHP
 <= 5.1.2 allows remote attackers to inject arbitrary web script or HTML
 via long array variables, including (1) a large number of dimensions
 or (2) long values, which prevents HTML tags from being removed.
 (CVE-2006-0996)
 
 Directory traversal vulnerability in file.c in PHP <= 5.1.2 allows
 local users to bypass open_basedir restrictions and allows remote
 attackers to create files in arbitrary directories via the tempnam
 function. (CVE-2006-1494)
 
 The copy function in file.c in PHP <= 5.1.2 allows local users to
 bypass safe mode and read arbitrary files via a source argument
 containing a compress.zlib:// URI. (CVE-2006-1608)
 
 Updated packages have been patched to address these issues.  After
 upgrading these packages, please run "service httpd restart".
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0996
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1494
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1608
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.2:
 6cb691aa48c2296c57f3d65d2724f7d3  10.2/RPMS/libphp_common432-4.3.10-7.11.102mdk.i586.rpm
 6c72033c47da9a215e7d9d5818bd8a4c  10.2/RPMS/php432-devel-4.3.10-7.11.102mdk.i586.rpm
 2d3b41503d65dbb63afd816b82dcc4c0  10.2/RPMS/php-cgi-4.3.10-7.11.102mdk.i586.rpm
 23dff1292b45e3019cfcff624988c1bf  10.2/RPMS/php-cli-4.3.10-7.11.102mdk.i586.rpm
 80ea8ca3381b02fe700184e2f4996a01  10.2/SRPMS/php-4.3.10-7.11.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 b0aa527c34e84bd561028bc7be2f15f3  x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.11.102mdk.x86_64.rpm
 99908ebcd99ad6fd6743dfcc7bc8f0bb  x86_64/10.2/RPMS/php432-devel-4.3.10-7.11.102mdk.x86_64.rpm
 1bd9fe999525590c0349daf67f091120  x86_64/10.2/RPMS/php-cgi-4.3.10-7.11.102mdk.x86_64.rpm
 96c4cc779c0b95b9d657c7a22ce25a6c  x86_64/10.2/RPMS/php-cli-4.3.10-7.11.102mdk.x86_64.rpm
 80ea8ca3381b02fe700184e2f4996a01  x86_64/10.2/SRPMS/php-4.3.10-7.11.102mdk.src.rpm

 Mandriva Linux 2006.0:
 f9f92f293c9a66facd9df8d387aff8a4  2006.0/RPMS/libphp5_common5-5.0.4-9.7.20060mdk.i586.rpm
 7e9966dbcae985dc1a96d504a0f62608  2006.0/RPMS/php-cgi-5.0.4-9.7.20060mdk.i586.rpm
 5986088bc45b33a07cfa9040728eda4b  2006.0/RPMS/php-cli-5.0.4-9.7.20060mdk.i586.rpm
 cb71d5ed6ce66a8cb8bb6eb606f41c18  2006.0/RPMS/php-devel-5.0.4-9.7.20060mdk.i586.rpm
 35a8f28a1bf837da8c4cd4c7ccfbabf0  2006.0/RPMS/php-fcgi-5.0.4-9.7.20060mdk.i586.rpm
 4ed1817971b580bf5158ba8c7849942a  2006.0/SRPMS/php-5.0.4-9.7.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 12034267cfa851d3cd1790147fe33a33  x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.7.20060mdk.x86_64.rpm
 71fa67fd6f623cca6bef276f8698966c  x86_64/2006.0/RPMS/php-cgi-5.0.4-9.7.20060mdk.x86_64.rpm
 a5ae41e39b78f723e5c008f42cd94713  x86_64/2006.0/RPMS/php-cli-5.0.4-9.7.20060mdk.x86_64.rpm
 26d888c996a63a6f30f1158f1f262ac5  x86_64/2006.0/RPMS/php-devel-5.0.4-9.7.20060mdk.x86_64.rpm
 7bffe3e550178279eb0cf86a63135ed8  x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.7.20060mdk.x86_64.rpm
 4ed1817971b580bf5158ba8c7849942a  x86_64/2006.0/SRPMS/php-5.0.4-9.7.20060mdk.src.rpm

 Corporate 3.0:
 9465ef267ccc97c3bdb93ac1c01d4e1f  corporate/3.0/RPMS/libphp_common432-4.3.4-4.15.C30mdk.i586.rpm
 b93cf0957bafbe7b8fd09e389e213bd7  corporate/3.0/RPMS/php432-devel-4.3.4-4.15.C30mdk.i586.rpm
 5c804ad53a5465611daf49e1a086f0e1  corporate/3.0/RPMS/php-cgi-4.3.4-4.15.C30mdk.i586.rpm
 b14c50b9c0f43f187db405cc8f55cd08  corporate/3.0/RPMS/php-cli-4.3.4-4.15.C30mdk.i586.rpm
 1a9f953f763ea289713cc8b456cde484  corporate/3.0/SRPMS/php-4.3.4-4.15.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 9569da02e4cd1d854cdbad8dcf91003a  x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.15.C30mdk.x86_64.rpm
 476b548c9d342dac9a5a3bb230f17f33  x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.15.C30mdk.x86_64.rpm
 dffb56720790f00ed138e9b66a4f9145  x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.15.C30mdk.x86_64.rpm
 6549890f5a9d15a721ced4ff8991149b  x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.15.C30mdk.x86_64.rpm
 1a9f953f763ea289713cc8b456cde484  x86_64/corporate/3.0/SRPMS/php-4.3.4-4.15.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 47733a5fa2b3ea413a53ce000a0bbc73  mnf/2.0/RPMS/libphp_common432-4.3.4-4.15.M20mdk.i586.rpm
 9f6cdbe97597ba858c202937cc0e2999  mnf/2.0/RPMS/php432-devel-4.3.4-4.15.M20mdk.i586.rpm
 181a9b0a5673f83096dddadc07a3324d  mnf/2.0/RPMS/php-cgi-4.3.4-4.15.M20mdk.i586.rpm
 08928ad43dccf63184d0cb9b7090a2a6  mnf/2.0/RPMS/php-cli-4.3.4-4.15.M20mdk.i586.rpm
 47295c4db3710a956c489848f253ada7  mnf/2.0/SRPMS/php-4.3.4-4.15.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFETQJemqjQ0CJFipgRAkYrAJ9zy204VXVXEjQpThlz/10EkMbTLgCg2VcQ
tdhsxG8Hu2oNX9gdc2q5A/0=
=Z4Lv
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDKSA-2006:074 ] - Updated php packages address multiple vulnerabilities. security (Apr 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]