lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1HmKae-0004OH-6w@artemis.annvix.ca>
Date: Thu, 10 May 2007 20:10:40 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDKSA-2007:103 ] - Updated php packages fix
	multiple vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDKSA-2007:103
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : php4
 Date    : May 10, 2007
 Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A heap buffer overflow flaw was found in the xmlrpc extension for PHP.
 A script that implements an XML-RPC server using this extension could
 allow a remote attacker to execute arbitrary code as the apache user.
 This flaw does not, however, affect PHP applications using the pure-PHP
 XML_RPC class provided via PEAR (CVE-2007-1864).
 
 A flaw was found in the ftp extension for PHP.  A script using
 this extension to provide access to a private FTP server and which
 passed untrusted script input directly to any function provided by
 this extension could allow a remote attacker to send arbitrary FTP
 commands to the server (CVE-2007-2509).
 
 Updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1864
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2509
 _______________________________________________________________________
 
 Updated Packages:
 
 Corporate 3.0:
 166f0495b9bd984fc4b887a8920fe111  corporate/3.0/i586/libphp_common432-4.3.4-4.26.C30mdk.i586.rpm
 eba86c8d3254e046b3d065f4db7c0714  corporate/3.0/i586/php-cgi-4.3.4-4.26.C30mdk.i586.rpm
 44248cbc77edc7772b36c1d95d78f7f4  corporate/3.0/i586/php-cli-4.3.4-4.26.C30mdk.i586.rpm
 6c9425c5cdbd25d6ee6bdab6a102f96d  corporate/3.0/i586/php-xmlrpc-4.3.4-1.1.C30mdk.i586.rpm
 bb4d89124e91f1aa872ad7f960210937  corporate/3.0/i586/php432-devel-4.3.4-4.26.C30mdk.i586.rpm 
 7964e9c606307c9af6c1a51160d41caa  corporate/3.0/SRPMS/php-4.3.4-4.26.C30mdk.src.rpm
 0e31d73b03b41014917630a78edd4055  corporate/3.0/SRPMS/php-xmlrpc-4.3.4-1.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 de5cd7123835dbe8d58d519661621b92  corporate/3.0/x86_64/lib64php_common432-4.3.4-4.26.C30mdk.x86_64.rpm
 bc7a35cb5360cf4a301a2f514ff1002d  corporate/3.0/x86_64/php-cgi-4.3.4-4.26.C30mdk.x86_64.rpm
 6fe331363e03e221bbbe8ddac95b24b7  corporate/3.0/x86_64/php-cli-4.3.4-4.26.C30mdk.x86_64.rpm
 d27234ec751507f56297eb7ad00246b2  corporate/3.0/x86_64/php-xmlrpc-4.3.4-1.1.C30mdk.x86_64.rpm
 b3717d84991db4ad6bc162b5713421a4  corporate/3.0/x86_64/php432-devel-4.3.4-4.26.C30mdk.x86_64.rpm 
 7964e9c606307c9af6c1a51160d41caa  corporate/3.0/SRPMS/php-4.3.4-4.26.C30mdk.src.rpm
 0e31d73b03b41014917630a78edd4055  corporate/3.0/SRPMS/php-xmlrpc-4.3.4-1.1.C30mdk.src.rpm

 Corporate 4.0:
 21652b2fb396cce7991e6929bf4b7d87  corporate/4.0/i586/libphp4_common4-4.4.4-1.6.20060mlcs4.i586.rpm
 d93cc1f82bb7cea14228feeaf097d5ec  corporate/4.0/i586/php4-cgi-4.4.4-1.6.20060mlcs4.i586.rpm
 130c70025d28c6a5cdb4e198a0b3ae4f  corporate/4.0/i586/php4-cli-4.4.4-1.6.20060mlcs4.i586.rpm
 2892ae379e430c22a48724e46e1e74be  corporate/4.0/i586/php4-devel-4.4.4-1.6.20060mlcs4.i586.rpm
 dcd1d9a26a05d0c2ec2f44f7312966cd  corporate/4.0/i586/php4-xmlrpc-4.4.4-1.1.20060mlcs4.i586.rpm 
 a30f364c6dcf21387dc2ccbe759053ee  corporate/4.0/SRPMS/php4-4.4.4-1.6.20060mlcs4.src.rpm
 b4e817698d4ea91c75cb1c0709b9ca5e  corporate/4.0/SRPMS/php4-xmlrpc-4.4.4-1.1.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 5e357a0f8a1c458b708904417ad1a758  corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.6.20060mlcs4.x86_64.rpm
 3256c4130a3f0004027ee817cb85902e  corporate/4.0/x86_64/php4-cgi-4.4.4-1.6.20060mlcs4.x86_64.rpm
 a29fe77e87c30df6f910340923d6c21c  corporate/4.0/x86_64/php4-cli-4.4.4-1.6.20060mlcs4.x86_64.rpm
 d14a7f38f36e4331107215a8f45d1b67  corporate/4.0/x86_64/php4-devel-4.4.4-1.6.20060mlcs4.x86_64.rpm
 ad13c17cc2de7783913e77114361e639  corporate/4.0/x86_64/php4-xmlrpc-4.4.4-1.1.20060mlcs4.x86_64.rpm 
 a30f364c6dcf21387dc2ccbe759053ee  corporate/4.0/SRPMS/php4-4.4.4-1.6.20060mlcs4.src.rpm
 b4e817698d4ea91c75cb1c0709b9ca5e  corporate/4.0/SRPMS/php4-xmlrpc-4.4.4-1.1.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 35dd2191d078e31f6c6da7b2025413bb  mnf/2.0/i586/libphp_common432-4.3.4-4.26.M20mdk.i586.rpm
 a7f9e65aa53dfb437255840c0f98122d  mnf/2.0/i586/php-cgi-4.3.4-4.26.M20mdk.i586.rpm
 e9337d663c42d7532ccaaa60905ee00d  mnf/2.0/i586/php-cli-4.3.4-4.26.M20mdk.i586.rpm
 74078881402c3e5066572779b8c49a66  mnf/2.0/i586/php432-devel-4.3.4-4.26.M20mdk.i586.rpm 
 738549167401da8b180447dfa41aa190  mnf/2.0/SRPMS/php-4.3.4-4.26.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGQ6VOmqjQ0CJFipgRAi0RAKCMX27lifC1pamWKEGupKY6PwDrTwCdFvw0
ygQSiiQBRJslN2sUeIGuVE0=
=DbpV
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ