lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1FQWO4-00008h-Vr@mercury.mandriva.com>
Date: Mon Apr  3 22:15:08 2006
From: security at mandriva.com (security@...driva.com)
Subject: [ MDKSA-2006:063 ] - Updated php packages fix
	information disclosure vulnerability


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2006:063
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : php
 Date    : April 2, 2006
 Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A vulnerability was discovered where the html_entity_decode() function
 would return a chunk of memory with length equal to the string
 supplied, which could include php code, php ini data, other user data,
 etc.  Note that by default, Corporate 3.0 and Mandriva Linux LE2005
 ship with magic_quotes_gpc on which seems to protect against this
 vulnerability "out of the box" but users are encourages to upgrade
 regardless.
 
 Once the upgraded packages have been installed, users will need to
 issue a "service httpd restart" in order for the fixed packages to be
 properly loaded.
 
 Updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 10.2:
 ef3fa2a2d14fb8be4f3febaf83bbffa9  10.2/RPMS/libphp_common432-4.3.10-7.8.102mdk.i586.rpm
 4a883be9e264869febfdfc5cdf529a49  10.2/RPMS/php432-devel-4.3.10-7.8.102mdk.i586.rpm
 2c1627712cca538956c5f851f616d5ce  10.2/RPMS/php-cgi-4.3.10-7.8.102mdk.i586.rpm
 8c6727cf7e6eb10dabc18eab21bfb2e4  10.2/RPMS/php-cli-4.3.10-7.8.102mdk.i586.rpm
 42d36049ac84a54b170d64fb1e4bdbfc  10.2/SRPMS/php-4.3.10-7.8.102mdk.src.rpm

 Mandriva Linux 10.2/X86_64:
 0bc53707143b53de67d92e09c3f681ce  x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.8.102mdk.x86_64.rpm
 aa2afe3688d5467753f3b65f977cdfe2  x86_64/10.2/RPMS/php432-devel-4.3.10-7.8.102mdk.x86_64.rpm
 b69f7d7333fd59fc53f2c3cb775cb92d  x86_64/10.2/RPMS/php-cgi-4.3.10-7.8.102mdk.x86_64.rpm
 9efe4691fa443904d12e05628ec32d1f  x86_64/10.2/RPMS/php-cli-4.3.10-7.8.102mdk.x86_64.rpm
 42d36049ac84a54b170d64fb1e4bdbfc  x86_64/10.2/SRPMS/php-4.3.10-7.8.102mdk.src.rpm

 Mandriva Linux 2006.0:
 2a7b4c48f38f0ca7ca1bfc6ee017e27b  2006.0/RPMS/libphp5_common5-5.0.4-9.4.20060mdk.i586.rpm
 2b0fe0ae0adfcea994618097ccd8f43e  2006.0/RPMS/php-cgi-5.0.4-9.4.20060mdk.i586.rpm
 6495845826ffc3963ea5fa7602413d99  2006.0/RPMS/php-cli-5.0.4-9.4.20060mdk.i586.rpm
 67e7e6ac6ffd75ebb3cfb067e16a6e90  2006.0/RPMS/php-devel-5.0.4-9.4.20060mdk.i586.rpm
 a07dfb39972947e39fc464895703e54f  2006.0/RPMS/php-fcgi-5.0.4-9.4.20060mdk.i586.rpm
 c71f42f38e21d547bc3121df180a1f9d  2006.0/SRPMS/php-5.0.4-9.4.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 c8d248402a14d3395df39d8460b2d09e  x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.4.20060mdk.x86_64.rpm
 48903c848a6b6e95e602c9167f21140b  x86_64/2006.0/RPMS/php-cgi-5.0.4-9.4.20060mdk.x86_64.rpm
 cf2c3ef8f5dd6a399026777f225e61c2  x86_64/2006.0/RPMS/php-cli-5.0.4-9.4.20060mdk.x86_64.rpm
 78f44b12e62d382cdde698eddb98de7d  x86_64/2006.0/RPMS/php-devel-5.0.4-9.4.20060mdk.x86_64.rpm
 e6f2546f0ad6786b235ff9d3a5037f18  x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.4.20060mdk.x86_64.rpm
 c71f42f38e21d547bc3121df180a1f9d  x86_64/2006.0/SRPMS/php-5.0.4-9.4.20060mdk.src.rpm

 Corporate 3.0:
 bfe7ada522d7d8c94d145d1345ea1cd2  corporate/3.0/RPMS/libphp_common432-4.3.4-4.12.C30mdk.i586.rpm
 d6e143fb483b0b491712b1f19d89d343  corporate/3.0/RPMS/php432-devel-4.3.4-4.12.C30mdk.i586.rpm
 bbc4009f6a6ae8c1c57dd19d4d835a76  corporate/3.0/RPMS/php-cgi-4.3.4-4.12.C30mdk.i586.rpm
 30559d249370d48b6620f836857d4a03  corporate/3.0/RPMS/php-cli-4.3.4-4.12.C30mdk.i586.rpm
 c2a531e21b0337d6e2e189922de96444  corporate/3.0/SRPMS/php-4.3.4-4.12.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 775eb72e9367dfa3f58fbf58baecbbef  x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.12.C30mdk.x86_64.rpm
 acb65ffa3867a095ec685f3c8964dc79  x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.12.C30mdk.x86_64.rpm
 7ab648313c53a521b42c5fbe861ebefe  x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.12.C30mdk.x86_64.rpm
 56821179db1b9e456894a58c816f3766  x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.12.C30mdk.x86_64.rpm
 c2a531e21b0337d6e2e189922de96444  x86_64/corporate/3.0/SRPMS/php-4.3.4-4.12.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 e58ffa871474e313deb349926b22cc7e  mnf/2.0/RPMS/libphp_common432-4.3.4-4.12.M20mdk.i586.rpm
 0f58a032dcdb3bc45b37b67f2ce3f6bc  mnf/2.0/RPMS/php432-devel-4.3.4-4.12.M20mdk.i586.rpm
 7dd0f603a0870b896c9396357dcd9efc  mnf/2.0/RPMS/php-cgi-4.3.4-4.12.M20mdk.i586.rpm
 a594814232b0dfa9bdbdf2db8d9089fd  mnf/2.0/RPMS/php-cli-4.3.4-4.12.M20mdk.i586.rpm
 650755a113c483af227369551a1431a3  mnf/2.0/SRPMS/php-4.3.4-4.12.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEMWM1mqjQ0CJFipgRAueUAJ9wzUsSQrpEOdnusK2HUN3TpYwmdACePctu
7lMMhVztNLjgpmDVI43IEnY=
=QXSN
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ