[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1KEYhY-00078O-ID@titan.mandriva.com>
Date: Thu, 03 Jul 2008 17:59:00 -0600
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2008:127 ] - Updated PHP packages fix multiple vulnerabilities
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2008:127
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php
Date : July 3, 2008
Affected: 2008.0
_______________________________________________________________________
Problem Description:
A number of vulnerabilities have been found and corrected in PHP:
The htmlentities() and htmlspecialchars() functions in PHP prior to
5.2.5 accepted partial multibyte sequences, which has unknown impact
and attack vectors (CVE-2007-5898).
The output_add_rewrite_var() function in PHP prior to 5.2.5 rewrites
local forms in which the ACTION attribute references a non-local URL,
which could allow a remote attacker to obtain potentially sensitive
information by reading the requests for this URL (CVE-2007-5899).
php-cgi in PHP prior to 5.2.6 does not properly calculate the length
of PATH_TRANSLATED, which has unknown impact and attack vectors
(CVE-2008-0599).
The escapeshellcmd() API function in PHP prior to 5.2.6 has unknown
impact and context-dependent attack vectors related to incomplete
multibyte characters (CVE-2008-2051).
Weaknesses in the GENERATE_SEED macro in PHP prior to 4.4.8 and 5.2.5
were discovered that could produce a zero seed in rare circumstances on
32bit systems and generations a portion of zero bits during conversion
due to insufficient precision on 64bit systems (CVE-2008-2107,
CVE-2008-2108).
The IMAP module in PHP uses obsolete API calls that allow
context-dependent attackers to cause a denial of service (crash)
via a long IMAP request (CVE-2008-2829).
In addition, this update also corrects an issue with some float to
string conversions.
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2829
http://qa.mandriva.com/show_bug.cgi?id=37171
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
4964496fdee7d2fff5f4b1fa8c14532b 2008.0/i586/libphp5_common5-5.2.4-3.2mdv2008.0.i586.rpm
39937c9c935ad96fb6cf346018b81d57 2008.0/i586/php-bcmath-5.2.4-3.2mdv2008.0.i586.rpm
112de70d3898dea5b99248eff489a78d 2008.0/i586/php-bz2-5.2.4-3.2mdv2008.0.i586.rpm
3f4804e2a62bcafa66c1ca7a181537fd 2008.0/i586/php-calendar-5.2.4-3.2mdv2008.0.i586.rpm
14377775243a1d5d3f3eed5f1b01261c 2008.0/i586/php-cgi-5.2.4-3.2mdv2008.0.i586.rpm
6dbade915c57c8d2b87352f8fe6e0450 2008.0/i586/php-cli-5.2.4-3.2mdv2008.0.i586.rpm
7a0cd01543c1e9f032018b5ce05f664a 2008.0/i586/php-ctype-5.2.4-3.2mdv2008.0.i586.rpm
22f4036085ae339b6fe8248b4e316850 2008.0/i586/php-curl-5.2.4-3.2mdv2008.0.i586.rpm
84a3f3752567dbbe12a4942da80a5b30 2008.0/i586/php-dba-5.2.4-3.2mdv2008.0.i586.rpm
65916c79bd3716748f2115542402f9e1 2008.0/i586/php-dbase-5.2.4-3.2mdv2008.0.i586.rpm
4ed4fbfc2322ab332de781b078f5fbf6 2008.0/i586/php-devel-5.2.4-3.2mdv2008.0.i586.rpm
8de4887cda8cb1ca0527a7ddac80da34 2008.0/i586/php-dom-5.2.4-3.2mdv2008.0.i586.rpm
c1c3eeb952c1492e65bafa53cc98dda7 2008.0/i586/php-exif-5.2.4-3.2mdv2008.0.i586.rpm
5f4cb00ef6a273b03be7749d8181c873 2008.0/i586/php-fcgi-5.2.4-3.2mdv2008.0.i586.rpm
38d62f9676137e7f4267ec488d029e12 2008.0/i586/php-filter-5.2.4-3.2mdv2008.0.i586.rpm
f72252bd88ec2e34a7821aa5a70c37c1 2008.0/i586/php-ftp-5.2.4-3.2mdv2008.0.i586.rpm
63b43f95c94e3f121a49c2c6016995bd 2008.0/i586/php-gd-5.2.4-3.2mdv2008.0.i586.rpm
8cd73b8ca8370954c7e8c3f92b17cf26 2008.0/i586/php-gettext-5.2.4-3.2mdv2008.0.i586.rpm
43702222ddbc3e9e8674d893174eab02 2008.0/i586/php-gmp-5.2.4-3.2mdv2008.0.i586.rpm
3db9582768562fb6edca7d37504ac555 2008.0/i586/php-hash-5.2.4-3.2mdv2008.0.i586.rpm
0494c0f6d0d1526d308ed8d131fe8771 2008.0/i586/php-iconv-5.2.4-3.2mdv2008.0.i586.rpm
74e84b579bd1fafa55b3792795b32a2a 2008.0/i586/php-imap-5.2.4-3.2mdv2008.0.i586.rpm
c25acebf5ab78b503ce889f9d434eb9d 2008.0/i586/php-json-5.2.4-3.2mdv2008.0.i586.rpm
75c0858eebc00515193a8525e6abc52f 2008.0/i586/php-ldap-5.2.4-3.2mdv2008.0.i586.rpm
ad813ea774c87cc21dfc03e1737e9992 2008.0/i586/php-mbstring-5.2.4-3.2mdv2008.0.i586.rpm
cd672d701608dbc6285e83805b0caed6 2008.0/i586/php-mcrypt-5.2.4-3.2mdv2008.0.i586.rpm
daff2f108122f193b1cdb7c53a63b439 2008.0/i586/php-mhash-5.2.4-3.2mdv2008.0.i586.rpm
41713242ffef20ec2d201f47cf1394ad 2008.0/i586/php-mime_magic-5.2.4-3.2mdv2008.0.i586.rpm
c532358f85d2dc2c29ca328a9b2bdc3d 2008.0/i586/php-ming-5.2.4-3.2mdv2008.0.i586.rpm
f1ebed79be33a3a04ec75e6fc300b5d1 2008.0/i586/php-mssql-5.2.4-3.2mdv2008.0.i586.rpm
116cb44f5b7092d2dbd4a0e2f861350f 2008.0/i586/php-mysql-5.2.4-3.2mdv2008.0.i586.rpm
856c66c7136d7ca94fdf22b873664b75 2008.0/i586/php-mysqli-5.2.4-3.2mdv2008.0.i586.rpm
731889df3739bb8413bf81287ba40459 2008.0/i586/php-ncurses-5.2.4-3.2mdv2008.0.i586.rpm
9d100f8050649a4601ee2eecbaf9db22 2008.0/i586/php-odbc-5.2.4-3.2mdv2008.0.i586.rpm
3333c9d55426bfdf7b14a4f3bfc0280b 2008.0/i586/php-openssl-5.2.4-3.2mdv2008.0.i586.rpm
0faf70d76ad40914abb2b07235db0fe0 2008.0/i586/php-pcntl-5.2.4-3.2mdv2008.0.i586.rpm
420c8170c11b5bcbf858e897a625a568 2008.0/i586/php-pdo-5.2.4-3.2mdv2008.0.i586.rpm
33fa19cf7c0ec490aaa4150f4d1dc68e 2008.0/i586/php-pdo_dblib-5.2.4-3.2mdv2008.0.i586.rpm
89245d8ab6d05972005ac5fb963d9021 2008.0/i586/php-pdo_mysql-5.2.4-3.2mdv2008.0.i586.rpm
d7b8841964b26212fca668441102bb02 2008.0/i586/php-pdo_odbc-5.2.4-3.2mdv2008.0.i586.rpm
a68b90f68d6627772b0b5fcda4352616 2008.0/i586/php-pdo_pgsql-5.2.4-3.2mdv2008.0.i586.rpm
7de4ce0b46f67f2b5e86bac05bcdee1b 2008.0/i586/php-pdo_sqlite-5.2.4-3.2mdv2008.0.i586.rpm
c2600185c76439cdf4485308d96f677b 2008.0/i586/php-pgsql-5.2.4-3.2mdv2008.0.i586.rpm
36067daf02d684c247a0198478a9eca9 2008.0/i586/php-posix-5.2.4-3.2mdv2008.0.i586.rpm
ca12377f3130587ed0e291219298ea85 2008.0/i586/php-pspell-5.2.4-3.2mdv2008.0.i586.rpm
7bb0a857e8d68a167d2619896aa9138d 2008.0/i586/php-readline-5.2.4-3.2mdv2008.0.i586.rpm
3d84362d34a97213908a060a011b761b 2008.0/i586/php-recode-5.2.4-3.2mdv2008.0.i586.rpm
b3be6e8921d1400699bf5dd8d01534b8 2008.0/i586/php-session-5.2.4-3.2mdv2008.0.i586.rpm
de73d4de81f7ff00ed7043fdaeb92c2b 2008.0/i586/php-shmop-5.2.4-3.2mdv2008.0.i586.rpm
4e90e4c3bbf351c3e25d719803dbbbcd 2008.0/i586/php-simplexml-5.2.4-3.2mdv2008.0.i586.rpm
0ba85b7cd04ae54c1be0212a3651abe7 2008.0/i586/php-snmp-5.2.4-3.2mdv2008.0.i586.rpm
1edddb67795d167f199d08ad7c8544f7 2008.0/i586/php-soap-5.2.4-3.2mdv2008.0.i586.rpm
447a4d2ce60d61385f655800582b255f 2008.0/i586/php-sockets-5.2.4-3.2mdv2008.0.i586.rpm
7d1da4760885e4a93085a3251522c359 2008.0/i586/php-sqlite-5.2.4-3.2mdv2008.0.i586.rpm
8ed94bd708eaa97d8274c3247f431a09 2008.0/i586/php-sysvmsg-5.2.4-3.2mdv2008.0.i586.rpm
d1a8c118166c26bdd9a51a6539c2170d 2008.0/i586/php-sysvsem-5.2.4-3.2mdv2008.0.i586.rpm
8fcb4e6ff9be40125d31dfa72c91304a 2008.0/i586/php-sysvshm-5.2.4-3.2mdv2008.0.i586.rpm
e41ed56b79a47764bd2569c4807ef6c5 2008.0/i586/php-tidy-5.2.4-3.2mdv2008.0.i586.rpm
d004aa350d12aa97d9e38facb7384923 2008.0/i586/php-tokenizer-5.2.4-3.2mdv2008.0.i586.rpm
9b530981f55d4c13a135e9795ae26e80 2008.0/i586/php-wddx-5.2.4-3.2mdv2008.0.i586.rpm
1d69762dc0ab2230eaa1b89649aa321d 2008.0/i586/php-xml-5.2.4-3.2mdv2008.0.i586.rpm
79c68e71802c054e7f6a3fff96c135de 2008.0/i586/php-xmlreader-5.2.4-3.2mdv2008.0.i586.rpm
efe5041757651f3b5e699031f6cdf69f 2008.0/i586/php-xmlrpc-5.2.4-3.2mdv2008.0.i586.rpm
21ffedc32409617c2aa4e433818e349a 2008.0/i586/php-xmlwriter-5.2.4-3.2mdv2008.0.i586.rpm
a9317dbd662e0c0a9d718ed37c2b2bad 2008.0/i586/php-xsl-5.2.4-3.2mdv2008.0.i586.rpm
5c4ed89d027aea291d01d535a0b9b404 2008.0/i586/php-zlib-5.2.4-3.2mdv2008.0.i586.rpm
2c717855b2ed804e20c05da11f958e6b 2008.0/SRPMS/php-5.2.4-3.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
7c6ec0a220b884b70591d817b018854e 2008.0/x86_64/lib64php5_common5-5.2.4-3.2mdv2008.0.x86_64.rpm
f82a02bf5481d88a10fd4a9435da20f1 2008.0/x86_64/php-bcmath-5.2.4-3.2mdv2008.0.x86_64.rpm
c07ecb49cc0c56f85c2240c77d55e604 2008.0/x86_64/php-bz2-5.2.4-3.2mdv2008.0.x86_64.rpm
55f39affa7ae19880ba553909c6f22fd 2008.0/x86_64/php-calendar-5.2.4-3.2mdv2008.0.x86_64.rpm
84419c18107b9c0a1b0babbd97dc60b2 2008.0/x86_64/php-cgi-5.2.4-3.2mdv2008.0.x86_64.rpm
76cd079e91c6c4e295769fe37b7bbb87 2008.0/x86_64/php-cli-5.2.4-3.2mdv2008.0.x86_64.rpm
7fc9beea712fd5078c89c34af19a9946 2008.0/x86_64/php-ctype-5.2.4-3.2mdv2008.0.x86_64.rpm
d284562916df646f74a804f91fcd659a 2008.0/x86_64/php-curl-5.2.4-3.2mdv2008.0.x86_64.rpm
faa6f7d38a59cfa81e931e9537f6381d 2008.0/x86_64/php-dba-5.2.4-3.2mdv2008.0.x86_64.rpm
0403c3c1073a5e4887dd978ba4c0b14a 2008.0/x86_64/php-dbase-5.2.4-3.2mdv2008.0.x86_64.rpm
2571b773d626d0c2b14fca3be0dbcdd5 2008.0/x86_64/php-devel-5.2.4-3.2mdv2008.0.x86_64.rpm
c0beeee29f9d5306162b59593f4b6590 2008.0/x86_64/php-dom-5.2.4-3.2mdv2008.0.x86_64.rpm
c391c5b836ad63f1599333a823f9785b 2008.0/x86_64/php-exif-5.2.4-3.2mdv2008.0.x86_64.rpm
c5af8ee7d5938468ea36424adddb42cb 2008.0/x86_64/php-fcgi-5.2.4-3.2mdv2008.0.x86_64.rpm
a1e2e7e3c5d96ba24a205f0c6f799755 2008.0/x86_64/php-filter-5.2.4-3.2mdv2008.0.x86_64.rpm
5d0f0db6c857986a8e0bed8ce1b2f274 2008.0/x86_64/php-ftp-5.2.4-3.2mdv2008.0.x86_64.rpm
f29b00bc367ec0c17fca44a0eca1d2ee 2008.0/x86_64/php-gd-5.2.4-3.2mdv2008.0.x86_64.rpm
9f36fac78f0615052cb1459981796eb5 2008.0/x86_64/php-gettext-5.2.4-3.2mdv2008.0.x86_64.rpm
8b02cd2bfc64dafe36221ab2a84f1e1e 2008.0/x86_64/php-gmp-5.2.4-3.2mdv2008.0.x86_64.rpm
6b8b3e930cad66d85c1e7c3798082696 2008.0/x86_64/php-hash-5.2.4-3.2mdv2008.0.x86_64.rpm
a7f7d7e45415de6e8806ec8cd24fab15 2008.0/x86_64/php-iconv-5.2.4-3.2mdv2008.0.x86_64.rpm
e71c04769901527f75bb32900d19138e 2008.0/x86_64/php-imap-5.2.4-3.2mdv2008.0.x86_64.rpm
ea23fc2159c3fe956eef9a55335b87f4 2008.0/x86_64/php-json-5.2.4-3.2mdv2008.0.x86_64.rpm
6ff77a39d3998b24650dc91eb09e902e 2008.0/x86_64/php-ldap-5.2.4-3.2mdv2008.0.x86_64.rpm
441208300d91f0849ca6e0b8e26b9b19 2008.0/x86_64/php-mbstring-5.2.4-3.2mdv2008.0.x86_64.rpm
a95bec26dfd5e2a8773a5edcca612c9b 2008.0/x86_64/php-mcrypt-5.2.4-3.2mdv2008.0.x86_64.rpm
167bc322f2204d4c643ce499e8f303a2 2008.0/x86_64/php-mhash-5.2.4-3.2mdv2008.0.x86_64.rpm
34b6a244a5361ea596b78e31e152087d 2008.0/x86_64/php-mime_magic-5.2.4-3.2mdv2008.0.x86_64.rpm
07c137c89962d1bf9f02eb76d590fc9b 2008.0/x86_64/php-ming-5.2.4-3.2mdv2008.0.x86_64.rpm
a4a23328014899da202ca3585202fb14 2008.0/x86_64/php-mssql-5.2.4-3.2mdv2008.0.x86_64.rpm
fc523fd93e5ed4f8b5b2bdebfbb084c1 2008.0/x86_64/php-mysql-5.2.4-3.2mdv2008.0.x86_64.rpm
d0c36a5ec8f31317ef18d4f86ab0d0e8 2008.0/x86_64/php-mysqli-5.2.4-3.2mdv2008.0.x86_64.rpm
5548d0c4b41141ef095cef2b10e48e65 2008.0/x86_64/php-ncurses-5.2.4-3.2mdv2008.0.x86_64.rpm
4afea2b1f843ab580288c7d2e2970885 2008.0/x86_64/php-odbc-5.2.4-3.2mdv2008.0.x86_64.rpm
46ba4fa02760007576378428bb80feb5 2008.0/x86_64/php-openssl-5.2.4-3.2mdv2008.0.x86_64.rpm
79ff2c4c60b58c950db9336e1ba2e5ec 2008.0/x86_64/php-pcntl-5.2.4-3.2mdv2008.0.x86_64.rpm
30a0c1a42dee0e63df8edf4a03705583 2008.0/x86_64/php-pdo-5.2.4-3.2mdv2008.0.x86_64.rpm
4934e452fdddfea4bd049319256e5c0b 2008.0/x86_64/php-pdo_dblib-5.2.4-3.2mdv2008.0.x86_64.rpm
2aac1840cceb12487440906758b302d9 2008.0/x86_64/php-pdo_mysql-5.2.4-3.2mdv2008.0.x86_64.rpm
e2f8ff3183b0aa2502f6f0f8b9c25dbf 2008.0/x86_64/php-pdo_odbc-5.2.4-3.2mdv2008.0.x86_64.rpm
8f6d42248dbb2733ea961832bf1c8002 2008.0/x86_64/php-pdo_pgsql-5.2.4-3.2mdv2008.0.x86_64.rpm
12fa367e082312b6ca239c48aa60d532 2008.0/x86_64/php-pdo_sqlite-5.2.4-3.2mdv2008.0.x86_64.rpm
80cef4fd4f1bd43aafd329f5d3dd0746 2008.0/x86_64/php-pgsql-5.2.4-3.2mdv2008.0.x86_64.rpm
ffe606c87612f73ce2aa346e2f6ef88a 2008.0/x86_64/php-posix-5.2.4-3.2mdv2008.0.x86_64.rpm
e5a43918a92e042abb8744462c11450d 2008.0/x86_64/php-pspell-5.2.4-3.2mdv2008.0.x86_64.rpm
3489f296995bbd4c39060a4dcef708a8 2008.0/x86_64/php-readline-5.2.4-3.2mdv2008.0.x86_64.rpm
056f4802270d25466956722a084c0630 2008.0/x86_64/php-recode-5.2.4-3.2mdv2008.0.x86_64.rpm
de836669d4705ce2876002be7c0ac0f5 2008.0/x86_64/php-session-5.2.4-3.2mdv2008.0.x86_64.rpm
a6911b797b25eaecd320da289c8a6032 2008.0/x86_64/php-shmop-5.2.4-3.2mdv2008.0.x86_64.rpm
b477a40948286c534204d1d4f22f9ab0 2008.0/x86_64/php-simplexml-5.2.4-3.2mdv2008.0.x86_64.rpm
80f3d118ca6cf804d4ae1f9239ca443b 2008.0/x86_64/php-snmp-5.2.4-3.2mdv2008.0.x86_64.rpm
b84262ac2963a40a1b2cead035c73a66 2008.0/x86_64/php-soap-5.2.4-3.2mdv2008.0.x86_64.rpm
06c54cc25362d9402c57975c0c1fdb6c 2008.0/x86_64/php-sockets-5.2.4-3.2mdv2008.0.x86_64.rpm
979551b073fb7a07dac96b7590e75eab 2008.0/x86_64/php-sqlite-5.2.4-3.2mdv2008.0.x86_64.rpm
76a11ff08c0e8b10b54996ddc4d24f33 2008.0/x86_64/php-sysvmsg-5.2.4-3.2mdv2008.0.x86_64.rpm
899c3c8cf2604a34c95c1f2777f7faca 2008.0/x86_64/php-sysvsem-5.2.4-3.2mdv2008.0.x86_64.rpm
0e9dca07c599f6ab0fe7cd678bfd4056 2008.0/x86_64/php-sysvshm-5.2.4-3.2mdv2008.0.x86_64.rpm
23554f0d3e453e262d8cf06004570db2 2008.0/x86_64/php-tidy-5.2.4-3.2mdv2008.0.x86_64.rpm
a9775d8aa17c056b6ecf33493f460af6 2008.0/x86_64/php-tokenizer-5.2.4-3.2mdv2008.0.x86_64.rpm
0de28245d48636781d26186a3f7aa3bf 2008.0/x86_64/php-wddx-5.2.4-3.2mdv2008.0.x86_64.rpm
c68b945348738daedffaffc2c7116921 2008.0/x86_64/php-xml-5.2.4-3.2mdv2008.0.x86_64.rpm
11a1d8dfe53bc833def78382853ec2bd 2008.0/x86_64/php-xmlreader-5.2.4-3.2mdv2008.0.x86_64.rpm
8695d6aa557f9947b1c85c9b1f0ff794 2008.0/x86_64/php-xmlrpc-5.2.4-3.2mdv2008.0.x86_64.rpm
30921f94417b1c0a36d91097319ccb69 2008.0/x86_64/php-xmlwriter-5.2.4-3.2mdv2008.0.x86_64.rpm
fc8bd211ec721efe34e79b9c37c50be4 2008.0/x86_64/php-xsl-5.2.4-3.2mdv2008.0.x86_64.rpm
20f1b68969555b6d16ee4862f9dbf401 2008.0/x86_64/php-zlib-5.2.4-3.2mdv2008.0.x86_64.rpm
2c717855b2ed804e20c05da11f958e6b 2008.0/SRPMS/php-5.2.4-3.2mdv2008.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFIbT1tmqjQ0CJFipgRArQFAKCcqymdDdwSuu+57idL7jxJ9IPiEQCeN8oP
oaOP1b+JJp5AsiD6UfECzaY=
=7pe0
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists