lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1WuKNM-0002dC-A5@titan.mandriva.com>
Date: Tue, 10 Jun 2014 13:38:00 +0200
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2014:115 ] php

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:115
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : php
 Date    : June 10, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated php packages fix security vulnerabilities:
 
 A flaw was found in the way file&#039;s Composite Document Files (CDF)
 format parser handle CDF files with many summary info entries.
 The cdf_unpack_summary_info() function unnecessarily repeatedly read
 the info from the same offset.  This led to many file_printf() calls in
 cdf_file_property_info(), which caused file to use an excessive amount
 of CPU time when parsing a specially-crafted CDF file (CVE-2014-0237).
 
 A flaw was found in the way file parsed property information from
 Composite Document Files (CDF) files.  A property entry with 0 elements
 triggers an infinite loop (CVE-2014-0238).
 
 PHP contains a bundled copy of the file utility&#039;s libmagic library,
 so it was vulnerable to this issue. It has been updated to the 5.5.13
 version, which fixes this issue and several other bugs.
 
 Additionally, php-apc has been rebuilt against the updated php
 packages.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0237
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0238
 http://advisories.mageia.org/MGASA-2014-0258.html
 http://www.php.net/ChangeLog-5.php#5.5.13
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 8711779e81a50a4904aa865b48524e29  mbs1/x86_64/apache-mod_php-5.5.13-1.mbs1.x86_64.rpm
 5b6fa6fe481a7599d5c4e597c1d9bc66  mbs1/x86_64/lib64php5_common5-5.5.13-1.mbs1.x86_64.rpm
 d7595fc5c03fcda523a6b55ab356a208  mbs1/x86_64/php-apc-3.1.15-1.7.mbs1.x86_64.rpm
 7d2e903f283e23fc24dc3a1ff4f74806  mbs1/x86_64/php-apc-admin-3.1.15-1.7.mbs1.x86_64.rpm
 e684cb737d10d699ac3ee8300158fb20  mbs1/x86_64/php-bcmath-5.5.13-1.mbs1.x86_64.rpm
 0896588cd4d217382fe7edce11936b80  mbs1/x86_64/php-bz2-5.5.13-1.mbs1.x86_64.rpm
 14e6355367c688176676f53e62981d12  mbs1/x86_64/php-calendar-5.5.13-1.mbs1.x86_64.rpm
 19a4cc762f8b05ff9e0f9a489d630859  mbs1/x86_64/php-cgi-5.5.13-1.mbs1.x86_64.rpm
 9f548d3786c32b85fff6bb51f25968df  mbs1/x86_64/php-cli-5.5.13-1.mbs1.x86_64.rpm
 b8db5525d09f49a55b8e2b65d5de5769  mbs1/x86_64/php-ctype-5.5.13-1.mbs1.x86_64.rpm
 c17a7e419e090c6e87f6042e0a0d4df1  mbs1/x86_64/php-curl-5.5.13-1.mbs1.x86_64.rpm
 e298564d779b0ec06b1ebfed4afa4e8d  mbs1/x86_64/php-dba-5.5.13-1.mbs1.x86_64.rpm
 2b3e212dd4dd34bc7c018e43f3d8b2f7  mbs1/x86_64/php-devel-5.5.13-1.mbs1.x86_64.rpm
 ee061099f739a00b9b614c9c36893020  mbs1/x86_64/php-doc-5.5.13-1.mbs1.noarch.rpm
 b212b1fecde3a01d3cf9e428e5b94c22  mbs1/x86_64/php-dom-5.5.13-1.mbs1.x86_64.rpm
 eaec7f6df84daecc5e5f76b3d068b5e4  mbs1/x86_64/php-enchant-5.5.13-1.mbs1.x86_64.rpm
 026b7278237e38d979f6cca904cedeaa  mbs1/x86_64/php-exif-5.5.13-1.mbs1.x86_64.rpm
 8c3bab218b68f119e81e4b32a88a3cf9  mbs1/x86_64/php-fileinfo-5.5.13-1.mbs1.x86_64.rpm
 bfba6c5ecb0ad7fca62d698e16bc591e  mbs1/x86_64/php-filter-5.5.13-1.mbs1.x86_64.rpm
 ef0ad0dce52f6032ab818f8f116bb63c  mbs1/x86_64/php-fpm-5.5.13-1.mbs1.x86_64.rpm
 7fba1e0c6fd5966917a0ef29308320f6  mbs1/x86_64/php-ftp-5.5.13-1.mbs1.x86_64.rpm
 9c5d684587774f46288190ebcb667a83  mbs1/x86_64/php-gd-5.5.13-1.mbs1.x86_64.rpm
 3e50a38dc3647e63ca9f569043ddee4c  mbs1/x86_64/php-gettext-5.5.13-1.mbs1.x86_64.rpm
 7160d5a371b1d10938896b3a349bbbe7  mbs1/x86_64/php-gmp-5.5.13-1.mbs1.x86_64.rpm
 6cdbb890f3bd4e79f294b93e01f056e3  mbs1/x86_64/php-hash-5.5.13-1.mbs1.x86_64.rpm
 aadfb4c1e93043956ac535756deeb484  mbs1/x86_64/php-iconv-5.5.13-1.mbs1.x86_64.rpm
 55c55ab806e72434bb51f440af6e670a  mbs1/x86_64/php-imap-5.5.13-1.mbs1.x86_64.rpm
 6d8171c9e50dc93ffb96086888e18df6  mbs1/x86_64/php-ini-5.5.13-1.mbs1.x86_64.rpm
 0ae0ae0fd51b352ded35e67d98945a21  mbs1/x86_64/php-intl-5.5.13-1.mbs1.x86_64.rpm
 d2a501a6fe260527dfcf9b7a1a10bf4a  mbs1/x86_64/php-json-5.5.13-1.mbs1.x86_64.rpm
 b289596cfbff32fa727d1a6f1e4f91bc  mbs1/x86_64/php-ldap-5.5.13-1.mbs1.x86_64.rpm
 ff980b8a060fee4f0b7f5cdbc1186487  mbs1/x86_64/php-mbstring-5.5.13-1.mbs1.x86_64.rpm
 970047da4f0e8520a00b5f2ae8e5a2dd  mbs1/x86_64/php-mcrypt-5.5.13-1.mbs1.x86_64.rpm
 08cb4e6b70bb5d8c988b626c62d37510  mbs1/x86_64/php-mssql-5.5.13-1.mbs1.x86_64.rpm
 e1b13a6b4f448304d60568bdf390f74f  mbs1/x86_64/php-mysql-5.5.13-1.mbs1.x86_64.rpm
 756d526191c09b5c1163b648d2955399  mbs1/x86_64/php-mysqli-5.5.13-1.mbs1.x86_64.rpm
 7ce3b6d6f5e05747c8dc29afd1dab49b  mbs1/x86_64/php-mysqlnd-5.5.13-1.mbs1.x86_64.rpm
 19dfa9eaececdd180f6a0f07347932cd  mbs1/x86_64/php-odbc-5.5.13-1.mbs1.x86_64.rpm
 8ca0d0b4b46cf1d37443a55b96e05754  mbs1/x86_64/php-opcache-5.5.13-1.mbs1.x86_64.rpm
 2471c8af7a847b3d13c8a519fa78ed90  mbs1/x86_64/php-openssl-5.5.13-1.mbs1.x86_64.rpm
 69b5a4852f380bd1f83f45021960fac4  mbs1/x86_64/php-pcntl-5.5.13-1.mbs1.x86_64.rpm
 48b2a529902592be79fda68adf791ba1  mbs1/x86_64/php-pdo-5.5.13-1.mbs1.x86_64.rpm
 f490ec2b03038f9dfb07c7baf80b9664  mbs1/x86_64/php-pdo_dblib-5.5.13-1.mbs1.x86_64.rpm
 9d3c2aadfc6b570c0e3a096214d44d52  mbs1/x86_64/php-pdo_mysql-5.5.13-1.mbs1.x86_64.rpm
 e996d335c93727f93f295dd5e7e62aea  mbs1/x86_64/php-pdo_odbc-5.5.13-1.mbs1.x86_64.rpm
 edb94ed0076da44690b2bae5763bdc43  mbs1/x86_64/php-pdo_pgsql-5.5.13-1.mbs1.x86_64.rpm
 4baddbb93b3f3762e418fab8ba8bd902  mbs1/x86_64/php-pdo_sqlite-5.5.13-1.mbs1.x86_64.rpm
 b21e5a3f672f8cc7ca952d0a38660f76  mbs1/x86_64/php-pgsql-5.5.13-1.mbs1.x86_64.rpm
 cd37ec13b2908d246ec96a22ad22faec  mbs1/x86_64/php-phar-5.5.13-1.mbs1.x86_64.rpm
 3683391016afb537b91b17113f8605c5  mbs1/x86_64/php-posix-5.5.13-1.mbs1.x86_64.rpm
 7d318534a12a7a8ffbdabd79775c82f8  mbs1/x86_64/php-readline-5.5.13-1.mbs1.x86_64.rpm
 4b631eb7e2c745751abfb58710e4562d  mbs1/x86_64/php-recode-5.5.13-1.mbs1.x86_64.rpm
 6a2ec65e4fad9af3cc8f8ba0f63a7aa9  mbs1/x86_64/php-session-5.5.13-1.mbs1.x86_64.rpm
 883dc6088ec2f1c720b74327dffeef03  mbs1/x86_64/php-shmop-5.5.13-1.mbs1.x86_64.rpm
 ae0f47fb7c0f1e44b2ff5ec0fb3e8afc  mbs1/x86_64/php-snmp-5.5.13-1.mbs1.x86_64.rpm
 a5b4e4b42414a9e2cdb21df3536e9f80  mbs1/x86_64/php-soap-5.5.13-1.mbs1.x86_64.rpm
 60f2ff75f09c0cd16fc6b6aad1742ad6  mbs1/x86_64/php-sockets-5.5.13-1.mbs1.x86_64.rpm
 f8deb4a7555238285c37d4c60480958c  mbs1/x86_64/php-sqlite3-5.5.13-1.mbs1.x86_64.rpm
 bde8d1303001a649802d4d3c370af035  mbs1/x86_64/php-sybase_ct-5.5.13-1.mbs1.x86_64.rpm
 30854dc35b450154e23fbd1cd8ec48ed  mbs1/x86_64/php-sysvmsg-5.5.13-1.mbs1.x86_64.rpm
 a2c8af3e1a951d36eaebf1b58b756376  mbs1/x86_64/php-sysvsem-5.5.13-1.mbs1.x86_64.rpm
 6f0530e3ea94463b826f77da51b65963  mbs1/x86_64/php-sysvshm-5.5.13-1.mbs1.x86_64.rpm
 7680c4d7bc14e8960954b23564a2a57c  mbs1/x86_64/php-tidy-5.5.13-1.mbs1.x86_64.rpm
 d63c45b031eac0d51cfe42d445d33607  mbs1/x86_64/php-tokenizer-5.5.13-1.mbs1.x86_64.rpm
 aa1c71889b8e6a95be194f402cd659b2  mbs1/x86_64/php-wddx-5.5.13-1.mbs1.x86_64.rpm
 12f25f419fa8652c55c1a47bd64e1853  mbs1/x86_64/php-xml-5.5.13-1.mbs1.x86_64.rpm
 9ca69fe4dc9d28f9651c2f2448bfde43  mbs1/x86_64/php-xmlreader-5.5.13-1.mbs1.x86_64.rpm
 7354023fdbe9c756fae68fb2649facdb  mbs1/x86_64/php-xmlrpc-5.5.13-1.mbs1.x86_64.rpm
 59f0f3169959c31adb8333f1e597a796  mbs1/x86_64/php-xmlwriter-5.5.13-1.mbs1.x86_64.rpm
 35ff0c499c20239387daef7f60cec4c6  mbs1/x86_64/php-xsl-5.5.13-1.mbs1.x86_64.rpm
 bec63d966cc6b9e756272baf66815045  mbs1/x86_64/php-zip-5.5.13-1.mbs1.x86_64.rpm
 dc2e485d9587eb28a7b8b1915dd0f40c  mbs1/x86_64/php-zlib-5.5.13-1.mbs1.x86_64.rpm 
 4c530928dfecb79e8de977555cb38f37  mbs1/SRPMS/php-5.5.13-1.mbs1.src.rpm
 cf24973b34d24e31942a1e04b63125c3  mbs1/SRPMS/php-apc-3.1.15-1.7.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFTlsPomqjQ0CJFipgRAg1qAJ0YBZob4nXqZms0MkA/1T74J2VLYgCfRsp6
cJwFAWk8ttlBXch5pCInVCs=
=1IOZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ