Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[ MDVSA-2008:128 ] - Updated PHP packages fix multiple vulnerabilities
From: security () mandriva com
Date: Thu, 03 Jul 2008 18:05:00 -0600


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:128
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : php
 Date    : July 3, 2008
 Affected: 2008.1
 _______________________________________________________________________
 
 Problem Description:
 
 A number of vulnerabilities have been found and corrected in PHP:
 
 php-cgi in PHP prior to 5.2.6 does not properly calculate the length
 of PATH_TRANSLATED, which has unknown impact and attack vectors
 (CVE-2008-0599).
 
 The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown
 impact and context-dependent attack vectors related to incomplete
 multibyte characters (CVE-2008-2051).
 
 Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5
 were discovered that could produce a zero seed in rare circumstances on
 32bit systems and generations a portion of zero bits during conversion
 due to insufficient precision on 64bit systems (CVE-2008-2107,
 CVE-2008-2108).
 
 The IMAP module in PHP uses obsolete API calls that allow
 context-dependent attackers to cause a denial of service (crash)
 via a long IMAP request (CVE-2008-2829).
 
 In addition, the updated packages provide a number of bug fixes.
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2008.1:
 a37818e23e89ac2862f4fb4a64e7a208  2008.1/i586/libphp5_common5-5.2.5-14.1mdv2008.1.i586.rpm
 c58445867f86bebdd96e22d4acd38060  2008.1/i586/php-bcmath-5.2.5-14.1mdv2008.1.i586.rpm
 1ebbc55b496fa354029f3ed79d2204f3  2008.1/i586/php-bz2-5.2.5-14.1mdv2008.1.i586.rpm
 94bebca56612a4ec0116f7f5c53da3d0  2008.1/i586/php-calendar-5.2.5-14.1mdv2008.1.i586.rpm
 469701782a3d5b629f43605e0a125afa  2008.1/i586/php-cgi-5.2.5-14.1mdv2008.1.i586.rpm
 39079d351109e89c80cfa916d6c239d6  2008.1/i586/php-cli-5.2.5-14.1mdv2008.1.i586.rpm
 3e71e18a497ac32aa3153cbf801869b9  2008.1/i586/php-ctype-5.2.5-14.1mdv2008.1.i586.rpm
 3cf96d78e7c0baaa470df375f756dbe7  2008.1/i586/php-curl-5.2.5-14.1mdv2008.1.i586.rpm
 9d5ace343f0edceb34080f6168d2de54  2008.1/i586/php-dba-5.2.5-14.1mdv2008.1.i586.rpm
 88a61df3d3e1b08351c3d28d5b1beaa5  2008.1/i586/php-dbase-5.2.5-14.1mdv2008.1.i586.rpm
 e4be850b54e6e823c323df86ddfb9b65  2008.1/i586/php-devel-5.2.5-14.1mdv2008.1.i586.rpm
 e08be6d315e4afb0ee8c7abbae1cca30  2008.1/i586/php-dom-5.2.5-14.1mdv2008.1.i586.rpm
 94732727478ab8954f987dbb4a7516f3  2008.1/i586/php-exif-5.2.5-14.1mdv2008.1.i586.rpm
 aac78c46a893ceff0dd2d17f5acd882f  2008.1/i586/php-fcgi-5.2.5-14.1mdv2008.1.i586.rpm
 8a75ef9557cdf74be9e39c45bed337a0  2008.1/i586/php-filter-5.2.5-14.1mdv2008.1.i586.rpm
 ddf3778405e2bca02267d7c4d2678d4a  2008.1/i586/php-ftp-5.2.5-14.1mdv2008.1.i586.rpm
 e0b1005f29b77a4b210d0470fe83721f  2008.1/i586/php-gd-5.2.5-14.1mdv2008.1.i586.rpm
 c9dec9d8c87d3880c093d9eac2a7511f  2008.1/i586/php-gettext-5.2.5-14.1mdv2008.1.i586.rpm
 e990f3a9fbd10fed38e9538fb74dccb1  2008.1/i586/php-gmp-5.2.5-14.1mdv2008.1.i586.rpm
 e1f22f19e8da5e900989b015ca678cd3  2008.1/i586/php-hash-5.2.5-14.1mdv2008.1.i586.rpm
 d8c0143f37376b50f56647efebb43252  2008.1/i586/php-iconv-5.2.5-14.1mdv2008.1.i586.rpm
 42c7dd288ed5e0cb5fca59bf0f28168f  2008.1/i586/php-imap-5.2.5-14.1mdv2008.1.i586.rpm
 e826965982e300e1bdb3dd39fe41a72f  2008.1/i586/php-json-5.2.5-14.1mdv2008.1.i586.rpm
 8f43b850ee69bab574525bf204296864  2008.1/i586/php-ldap-5.2.5-14.1mdv2008.1.i586.rpm
 716cc4fbb174ed8f8df8d1ff2c5227f4  2008.1/i586/php-mbstring-5.2.5-14.1mdv2008.1.i586.rpm
 c73e47e1c3b5b8bae761bc5705037afd  2008.1/i586/php-mcrypt-5.2.5-14.1mdv2008.1.i586.rpm
 74e4c83ddae2b6104993b61092620bda  2008.1/i586/php-mhash-5.2.5-14.1mdv2008.1.i586.rpm
 720c20e13ebd9507acefad959a0e02d7  2008.1/i586/php-mime_magic-5.2.5-14.1mdv2008.1.i586.rpm
 30c12b2df3ddb506d7ecc430ab4866be  2008.1/i586/php-ming-5.2.5-14.1mdv2008.1.i586.rpm
 32fbce35e02d7b65b0cc2cdbc6d08586  2008.1/i586/php-mssql-5.2.5-14.1mdv2008.1.i586.rpm
 9cf62b9e2ddd9336e6f524a6d90780e7  2008.1/i586/php-mysql-5.2.5-14.1mdv2008.1.i586.rpm
 e522238c50ebcbc6ca91f358be4e1c2e  2008.1/i586/php-mysqli-5.2.5-14.1mdv2008.1.i586.rpm
 1dd4dad359a05f08196abf13221abf20  2008.1/i586/php-ncurses-5.2.5-14.1mdv2008.1.i586.rpm
 7db383a489801c8353894e4b9f7e6512  2008.1/i586/php-odbc-5.2.5-14.1mdv2008.1.i586.rpm
 5f63c09754e30903b4876f2c2a822f6a  2008.1/i586/php-openssl-5.2.5-14.1mdv2008.1.i586.rpm
 4e96480d6769fac868af9566c091b3fc  2008.1/i586/php-pcntl-5.2.5-14.1mdv2008.1.i586.rpm
 0718aa1bffe5e7c91b10f70c7eec68f3  2008.1/i586/php-pdo-5.2.5-14.1mdv2008.1.i586.rpm
 7c0b4674ec56c2a6fe87c7b224e1ccab  2008.1/i586/php-pdo_dblib-5.2.5-14.1mdv2008.1.i586.rpm
 7e3881d1059fb8c1b5986b1852f97696  2008.1/i586/php-pdo_mysql-5.2.5-14.1mdv2008.1.i586.rpm
 0f3d7ede7adf2cae8d0a2735ada5fbc4  2008.1/i586/php-pdo_odbc-5.2.5-14.1mdv2008.1.i586.rpm
 b9dbde00f72ae70b8328441ce041bcac  2008.1/i586/php-pdo_pgsql-5.2.5-14.1mdv2008.1.i586.rpm
 bebde3a51ea7599d4cab973b0d21caed  2008.1/i586/php-pdo_sqlite-5.2.5-14.1mdv2008.1.i586.rpm
 fd9f335c54865f610bb3d5d708fef9bb  2008.1/i586/php-pgsql-5.2.5-14.1mdv2008.1.i586.rpm
 5466493db048f4bed3dc5e3d8b13aed2  2008.1/i586/php-posix-5.2.5-14.1mdv2008.1.i586.rpm
 127092f9644567139b8205269215adbb  2008.1/i586/php-pspell-5.2.5-14.1mdv2008.1.i586.rpm
 1d121691eaa30b2dc6a6704b39d03ce1  2008.1/i586/php-readline-5.2.5-14.1mdv2008.1.i586.rpm
 f9980c14e99ed971263dbe0b4c92ce71  2008.1/i586/php-recode-5.2.5-14.1mdv2008.1.i586.rpm
 c0307d2020f00104e0c4d4043f5e5437  2008.1/i586/php-session-5.2.5-14.1mdv2008.1.i586.rpm
 eada076c0ee76e265288c4ebbb255635  2008.1/i586/php-shmop-5.2.5-14.1mdv2008.1.i586.rpm
 83ccb133b2599af455f477320035c561  2008.1/i586/php-snmp-5.2.5-14.1mdv2008.1.i586.rpm
 e7bb2545d59e14f092557451dfcc160a  2008.1/i586/php-soap-5.2.5-14.1mdv2008.1.i586.rpm
 f2d2d080d7c96c1fc7c8f9b6c33e99b0  2008.1/i586/php-sockets-5.2.5-14.1mdv2008.1.i586.rpm
 bbebe55b2bceb651c326259534a0468d  2008.1/i586/php-sqlite-5.2.5-14.1mdv2008.1.i586.rpm
 3abc11b2e11b6357320e7f7e64369924  2008.1/i586/php-sysvmsg-5.2.5-14.1mdv2008.1.i586.rpm
 5d7fda3b32ac01f36959b567921f7cf2  2008.1/i586/php-sysvsem-5.2.5-14.1mdv2008.1.i586.rpm
 fa966a7d383c29cee238ce0537226c0c  2008.1/i586/php-sysvshm-5.2.5-14.1mdv2008.1.i586.rpm
 60844677bf0322abd1c7beef732bf33b  2008.1/i586/php-tidy-5.2.5-14.1mdv2008.1.i586.rpm
 8c3bce1a573136ab356d1640f1be9fa3  2008.1/i586/php-tokenizer-5.2.5-14.1mdv2008.1.i586.rpm
 74576d184434f0bd36821b5f3963f533  2008.1/i586/php-wddx-5.2.5-14.1mdv2008.1.i586.rpm
 058bfe6e2ba389dae88e3dbdc19fda00  2008.1/i586/php-xml-5.2.5-14.1mdv2008.1.i586.rpm
 8ebd48b983d0a5e68bc6ef81b6698964  2008.1/i586/php-xmlreader-5.2.5-14.1mdv2008.1.i586.rpm
 908064c9dc1ddd6337d5ff4d619fb6c4  2008.1/i586/php-xmlrpc-5.2.5-14.1mdv2008.1.i586.rpm
 a01f3cf2339e062cec8652898791e800  2008.1/i586/php-xmlwriter-5.2.5-14.1mdv2008.1.i586.rpm
 ca7d59d3a9eec66673b71bd56aea8dfe  2008.1/i586/php-xsl-5.2.5-14.1mdv2008.1.i586.rpm
 6616f95893cd6fce078149160fe4399e  2008.1/i586/php-zlib-5.2.5-14.1mdv2008.1.i586.rpm 
 c682f37976c4704d2cfeaa7cd431178b  2008.1/SRPMS/php-5.2.5-14.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 37c9c71baaf2a3d871d2fb03adec4cf0  2008.1/x86_64/lib64php5_common5-5.2.5-14.1mdv2008.1.x86_64.rpm
 7d231c361203d4b5d0408125cf1f8649  2008.1/x86_64/php-bcmath-5.2.5-14.1mdv2008.1.x86_64.rpm
 47a0fe202badead8966c79f853f8dc89  2008.1/x86_64/php-bz2-5.2.5-14.1mdv2008.1.x86_64.rpm
 e31174f0b54331b56db910c4fb2c79a5  2008.1/x86_64/php-calendar-5.2.5-14.1mdv2008.1.x86_64.rpm
 3853e043253e63cad86fb2dd947091d8  2008.1/x86_64/php-cgi-5.2.5-14.1mdv2008.1.x86_64.rpm
 1d290d98029652e2d5c2492859581162  2008.1/x86_64/php-cli-5.2.5-14.1mdv2008.1.x86_64.rpm
 6506809c7d37f485d99f8fc21eeed0a8  2008.1/x86_64/php-ctype-5.2.5-14.1mdv2008.1.x86_64.rpm
 7b091eebb11aaacf07d4939ff512c88b  2008.1/x86_64/php-curl-5.2.5-14.1mdv2008.1.x86_64.rpm
 7bb1bcda1b3a2d54477d04f27bd1f333  2008.1/x86_64/php-dba-5.2.5-14.1mdv2008.1.x86_64.rpm
 bc0b1006a1743e88e49256b964997e57  2008.1/x86_64/php-dbase-5.2.5-14.1mdv2008.1.x86_64.rpm
 5912b191d3faff077ac26d7820dcc8c0  2008.1/x86_64/php-devel-5.2.5-14.1mdv2008.1.x86_64.rpm
 31fece421e022bc04abe1357c1d4f7e2  2008.1/x86_64/php-dom-5.2.5-14.1mdv2008.1.x86_64.rpm
 f8a4115d99dc3015861726179cfc866e  2008.1/x86_64/php-exif-5.2.5-14.1mdv2008.1.x86_64.rpm
 fd6d2f5101133ef83fcece1d07b8af64  2008.1/x86_64/php-fcgi-5.2.5-14.1mdv2008.1.x86_64.rpm
 3f74157d45ffa63d859882bbffcbe919  2008.1/x86_64/php-filter-5.2.5-14.1mdv2008.1.x86_64.rpm
 2a732c2d7a96f3a1121dd12a7efd9daf  2008.1/x86_64/php-ftp-5.2.5-14.1mdv2008.1.x86_64.rpm
 b93cf200e2ae6e01d492fdc94ea07482  2008.1/x86_64/php-gd-5.2.5-14.1mdv2008.1.x86_64.rpm
 18cd2997f1f00662691a181dc43a8ec1  2008.1/x86_64/php-gettext-5.2.5-14.1mdv2008.1.x86_64.rpm
 4dafaf30e6d723648f1bd7030dc1a8e6  2008.1/x86_64/php-gmp-5.2.5-14.1mdv2008.1.x86_64.rpm
 edd1290a6aaa8a017c1831ad11130e27  2008.1/x86_64/php-hash-5.2.5-14.1mdv2008.1.x86_64.rpm
 853ea355568c412d690ac7ddde72546d  2008.1/x86_64/php-iconv-5.2.5-14.1mdv2008.1.x86_64.rpm
 ad0cf57cfc042eb64d112ad59a40c421  2008.1/x86_64/php-imap-5.2.5-14.1mdv2008.1.x86_64.rpm
 f4a0b0017d988de9929d89b086b349ef  2008.1/x86_64/php-json-5.2.5-14.1mdv2008.1.x86_64.rpm
 b27cd3253b5c00ebd67745ad13243c84  2008.1/x86_64/php-ldap-5.2.5-14.1mdv2008.1.x86_64.rpm
 676b808a0b587a4257f88d11036e3aa0  2008.1/x86_64/php-mbstring-5.2.5-14.1mdv2008.1.x86_64.rpm
 fe20ac6413273ac7fa4485256e60995a  2008.1/x86_64/php-mcrypt-5.2.5-14.1mdv2008.1.x86_64.rpm
 dcf40cacec48726612f8411ba34ed8f4  2008.1/x86_64/php-mhash-5.2.5-14.1mdv2008.1.x86_64.rpm
 b3fb128a1a3a1561bc862c2796b95298  2008.1/x86_64/php-mime_magic-5.2.5-14.1mdv2008.1.x86_64.rpm
 7f1e71f77fe2106f0242e783d5257b52  2008.1/x86_64/php-ming-5.2.5-14.1mdv2008.1.x86_64.rpm
 e56f6b325bddbfb3c4a8fcbbbf3d95e1  2008.1/x86_64/php-mssql-5.2.5-14.1mdv2008.1.x86_64.rpm
 499affb25800bab89d30e72be7b887d4  2008.1/x86_64/php-mysql-5.2.5-14.1mdv2008.1.x86_64.rpm
 a7b61b06508a6d220380a3de3a3ee545  2008.1/x86_64/php-mysqli-5.2.5-14.1mdv2008.1.x86_64.rpm
 555ac0b707dc050b2557559474e45e92  2008.1/x86_64/php-ncurses-5.2.5-14.1mdv2008.1.x86_64.rpm
 dfd63fe4e7e853d1ca298d3d0f273847  2008.1/x86_64/php-odbc-5.2.5-14.1mdv2008.1.x86_64.rpm
 4682fe6bb3a0b060e88af72754def31b  2008.1/x86_64/php-openssl-5.2.5-14.1mdv2008.1.x86_64.rpm
 87559329a3c48b52ead4d0565c8b245c  2008.1/x86_64/php-pcntl-5.2.5-14.1mdv2008.1.x86_64.rpm
 9d5c6b3e1c7cf51ecdc18f591d2db51d  2008.1/x86_64/php-pdo-5.2.5-14.1mdv2008.1.x86_64.rpm
 d65c65b59daf765bb59102b6c7efaa8f  2008.1/x86_64/php-pdo_dblib-5.2.5-14.1mdv2008.1.x86_64.rpm
 710d8e5738610884f6a05d92216f4f92  2008.1/x86_64/php-pdo_mysql-5.2.5-14.1mdv2008.1.x86_64.rpm
 1041b835da177f8a23c57fc27b1b950d  2008.1/x86_64/php-pdo_odbc-5.2.5-14.1mdv2008.1.x86_64.rpm
 233b492c194e5c2ea8a57e97c5957280  2008.1/x86_64/php-pdo_pgsql-5.2.5-14.1mdv2008.1.x86_64.rpm
 1dc281eff1f624d93202a664ff415a24  2008.1/x86_64/php-pdo_sqlite-5.2.5-14.1mdv2008.1.x86_64.rpm
 496c4cd0662b01c72ef1d88125a32c28  2008.1/x86_64/php-pgsql-5.2.5-14.1mdv2008.1.x86_64.rpm
 547460ae2e62432fb8469ad6d57927f3  2008.1/x86_64/php-posix-5.2.5-14.1mdv2008.1.x86_64.rpm
 0e4270d3c85e1b08cf28989d5ccc99d7  2008.1/x86_64/php-pspell-5.2.5-14.1mdv2008.1.x86_64.rpm
 0f3d47e68701ffcb9a0161efcc9e8423  2008.1/x86_64/php-readline-5.2.5-14.1mdv2008.1.x86_64.rpm
 c8b466772de1a950054aaad758f1512d  2008.1/x86_64/php-recode-5.2.5-14.1mdv2008.1.x86_64.rpm
 5de0ce9556bbba884cb77b472a4fce45  2008.1/x86_64/php-session-5.2.5-14.1mdv2008.1.x86_64.rpm
 98bcdd66540cf1f4c900b99ae75f2d4c  2008.1/x86_64/php-shmop-5.2.5-14.1mdv2008.1.x86_64.rpm
 d281db526e9ae8f8032bf5982a54ba28  2008.1/x86_64/php-snmp-5.2.5-14.1mdv2008.1.x86_64.rpm
 def9b2719027320b6e03789f05d673f0  2008.1/x86_64/php-soap-5.2.5-14.1mdv2008.1.x86_64.rpm
 7590250ef2892572cbe6713554e8f4b8  2008.1/x86_64/php-sockets-5.2.5-14.1mdv2008.1.x86_64.rpm
 490f258c279227ef5fea6ab8abc19197  2008.1/x86_64/php-sqlite-5.2.5-14.1mdv2008.1.x86_64.rpm
 2111518b9739bb23069cf98914b9065d  2008.1/x86_64/php-sysvmsg-5.2.5-14.1mdv2008.1.x86_64.rpm
 0bda452b910ab8c98ba9fd35cc8f2ac5  2008.1/x86_64/php-sysvsem-5.2.5-14.1mdv2008.1.x86_64.rpm
 8d75772a16f8582c55a4cf44ad28d50c  2008.1/x86_64/php-sysvshm-5.2.5-14.1mdv2008.1.x86_64.rpm
 f6237eba6d016b4c37da619be5411817  2008.1/x86_64/php-tidy-5.2.5-14.1mdv2008.1.x86_64.rpm
 2f4ed9b3fe6521c8ba7b18339c651666  2008.1/x86_64/php-tokenizer-5.2.5-14.1mdv2008.1.x86_64.rpm
 da555a1459c356f1d0ac3d02f33d977a  2008.1/x86_64/php-wddx-5.2.5-14.1mdv2008.1.x86_64.rpm
 c9705d61d3c0ce345a5e7454c76eab6c  2008.1/x86_64/php-xml-5.2.5-14.1mdv2008.1.x86_64.rpm
 5e7ab83900d27a1e250e124640ce5821  2008.1/x86_64/php-xmlreader-5.2.5-14.1mdv2008.1.x86_64.rpm
 3582889fd9e5830a7d6bf703510382f4  2008.1/x86_64/php-xmlrpc-5.2.5-14.1mdv2008.1.x86_64.rpm
 85b704914f5ebb3f25c010e82297dc32  2008.1/x86_64/php-xmlwriter-5.2.5-14.1mdv2008.1.x86_64.rpm
 fbfd8f6863d70fee3781d07a72e33152  2008.1/x86_64/php-xsl-5.2.5-14.1mdv2008.1.x86_64.rpm
 bc8f8000a2d6a9815a153ddeda04dd1d  2008.1/x86_64/php-zlib-5.2.5-14.1mdv2008.1.x86_64.rpm 
 c682f37976c4704d2cfeaa7cd431178b  2008.1/SRPMS/php-5.2.5-14.1mdv2008.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIbT7gmqjQ0CJFipgRAqVOAKC/PGY3i2IKO592B0Ukfck2HnZPogCfUijv
tvsSl4XAuy3Fg1iJ05MfgMs=
=M3vw
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [ MDVSA-2008:128 ] - Updated PHP packages fix multiple vulnerabilities security (Jul 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault