[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MrGiy-0007Nz-Jv@titan.mandriva.com>
Date: Fri, 25 Sep 2009 21:45:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:248 ] php
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:248
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php
Date : September 25, 2009
Affected: 2009.1
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities was discovered and corrected in php:
The php_openssl_apply_verification_policy function in PHP before
5.2.11 does not properly perform certificate validation, which has
unknown impact and attack vectors, probably related to an ability to
spoof certificates (CVE-2009-3291).
Unspecified vulnerability in PHP before 5.2.11 has unknown impact
and attack vectors related to missing sanity checks around exif
processing. (CVE-2009-3292)
Unspecified vulnerability in the imagecolortransparent function in
PHP before 5.2.11 has unknown impact and attack vectors related to an
incorrect sanity check for the color index. (CVE-2009-3293). However
in Mandriva we don't use the bundled libgd source in php per default,
there is a unsupported package in contrib named php-gd-bundled that
eventually will get updated to pickup these fixes.
This update provides a solution to these vulnerabilities.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3293
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.1:
85e87867b1548801a6c2db93fc18fb9d 2009.1/i586/libphp5_common5-5.2.9-6.2mdv2009.1.i586.rpm
522dceebef8202cddd695f9962db1f18 2009.1/i586/php-bcmath-5.2.9-6.2mdv2009.1.i586.rpm
e4f245c0c1f296a7c3adac8daf7125d8 2009.1/i586/php-bz2-5.2.9-6.2mdv2009.1.i586.rpm
530e87e21a18e61a70d174213e51e3f1 2009.1/i586/php-calendar-5.2.9-6.2mdv2009.1.i586.rpm
d8075e6ce477d0c2c980696870b7d32c 2009.1/i586/php-cgi-5.2.9-6.2mdv2009.1.i586.rpm
17bdfb65700ac9515e89104afe26fc7c 2009.1/i586/php-cli-5.2.9-6.2mdv2009.1.i586.rpm
03719088b010f503a60a9b60d55d268d 2009.1/i586/php-ctype-5.2.9-6.2mdv2009.1.i586.rpm
4d16e8a053e2c619e9b66ca8ad00394c 2009.1/i586/php-curl-5.2.9-6.2mdv2009.1.i586.rpm
a229d229ec0c305532a9d522727ca817 2009.1/i586/php-dba-5.2.9-6.2mdv2009.1.i586.rpm
d3c14dbf23f93d6f3f348f116a26acb1 2009.1/i586/php-dbase-5.2.9-6.2mdv2009.1.i586.rpm
b449e0fbe5dca4baa1bffac5bcc85e07 2009.1/i586/php-devel-5.2.9-6.2mdv2009.1.i586.rpm
1dac1b2cc84dfbf9993f2aa26939ffb4 2009.1/i586/php-dom-5.2.9-6.2mdv2009.1.i586.rpm
1ef14250dc32846e0395a07f4829d52c 2009.1/i586/php-exif-5.2.9-6.2mdv2009.1.i586.rpm
d066223f07fdf6af0722848d82364348 2009.1/i586/php-fcgi-5.2.9-6.2mdv2009.1.i586.rpm
aa3d6954c1e78d2653a52ecf16e471ff 2009.1/i586/php-filter-5.2.9-6.2mdv2009.1.i586.rpm
35d3f28617e885a4e750bcd3a97ecba0 2009.1/i586/php-ftp-5.2.9-6.2mdv2009.1.i586.rpm
9174368e959c14b7a5addd08d4874017 2009.1/i586/php-gd-5.2.9-6.2mdv2009.1.i586.rpm
1af200e3d52ea023318a5495d541b1e4 2009.1/i586/php-gettext-5.2.9-6.2mdv2009.1.i586.rpm
8c491c96a8ece15d5d60aa5aa2ceab0c 2009.1/i586/php-gmp-5.2.9-6.2mdv2009.1.i586.rpm
ae5c5fcc780bdd07d88cfcd349d30e58 2009.1/i586/php-hash-5.2.9-6.2mdv2009.1.i586.rpm
2a517cb53a676165d3a4de358c0f148e 2009.1/i586/php-iconv-5.2.9-6.2mdv2009.1.i586.rpm
1a4c3ab931cd2df5a347170f36c338f7 2009.1/i586/php-imap-5.2.9-6.2mdv2009.1.i586.rpm
37aba4274ae00ded7e087bbb8605f221 2009.1/i586/php-json-5.2.9-6.2mdv2009.1.i586.rpm
c10f22cb6dcb0e5016c0535738132065 2009.1/i586/php-ldap-5.2.9-6.2mdv2009.1.i586.rpm
5ef7cd867bfd5b2c329a3e4723f84247 2009.1/i586/php-mbstring-5.2.9-6.2mdv2009.1.i586.rpm
3de9ad85e6bad9da2f028bb408e33da7 2009.1/i586/php-mcrypt-5.2.9-6.2mdv2009.1.i586.rpm
0fc60371b161403a58c02e4f964d4b83 2009.1/i586/php-mhash-5.2.9-6.2mdv2009.1.i586.rpm
5294173b4191fb03944840c8679967b0 2009.1/i586/php-mime_magic-5.2.9-6.2mdv2009.1.i586.rpm
9df85b613e24cbd38b74978e4e28301c 2009.1/i586/php-ming-5.2.9-6.2mdv2009.1.i586.rpm
f2113d23146f1a295579fe6fc012aa1f 2009.1/i586/php-mssql-5.2.9-6.2mdv2009.1.i586.rpm
3d8b142f6a4b5290623ef5b28395cd36 2009.1/i586/php-mysql-5.2.9-6.2mdv2009.1.i586.rpm
12e09193a2be5a3dfc960e9def73278f 2009.1/i586/php-mysqli-5.2.9-6.2mdv2009.1.i586.rpm
1551a51c721087d3b92260d9f585274b 2009.1/i586/php-ncurses-5.2.9-6.2mdv2009.1.i586.rpm
916f591a0a987ff98c92cde1cc961e5b 2009.1/i586/php-odbc-5.2.9-6.2mdv2009.1.i586.rpm
7cf7be81f66e25ac0695644785808bfc 2009.1/i586/php-openssl-5.2.9-6.2mdv2009.1.i586.rpm
f3ba03b40095cc1d08f1a1c725208e80 2009.1/i586/php-pcntl-5.2.9-6.2mdv2009.1.i586.rpm
9814280eb36dc952fa84195dee51fcb9 2009.1/i586/php-pdo-5.2.9-6.2mdv2009.1.i586.rpm
6eca042187056998cce3218d29b6fe64 2009.1/i586/php-pdo_dblib-5.2.9-6.2mdv2009.1.i586.rpm
1db4d26269a9a625e8dd7fce3fb6fac3 2009.1/i586/php-pdo_mysql-5.2.9-6.2mdv2009.1.i586.rpm
8fb1ec5235174c0f4f2aed4a059820d0 2009.1/i586/php-pdo_odbc-5.2.9-6.2mdv2009.1.i586.rpm
48cbbd29283af0a26ef08f0a8c43764f 2009.1/i586/php-pdo_pgsql-5.2.9-6.2mdv2009.1.i586.rpm
52057a39b6523cbdc8c345d55708a726 2009.1/i586/php-pdo_sqlite-5.2.9-6.2mdv2009.1.i586.rpm
182deb058e30c6231b5e1b6e9c716773 2009.1/i586/php-pgsql-5.2.9-6.2mdv2009.1.i586.rpm
77a01e22aabdcac128d332a49cdf22c2 2009.1/i586/php-posix-5.2.9-6.2mdv2009.1.i586.rpm
43a6792914cedc5784a8d632c85906c2 2009.1/i586/php-pspell-5.2.9-6.2mdv2009.1.i586.rpm
b45752be458fcdc318624aa8ec5b7282 2009.1/i586/php-readline-5.2.9-6.2mdv2009.1.i586.rpm
69765de70de2a84fe5924e68d176c083 2009.1/i586/php-recode-5.2.9-6.2mdv2009.1.i586.rpm
b1e80b8432ac9e51c80cdddbb26cd21a 2009.1/i586/php-session-5.2.9-6.2mdv2009.1.i586.rpm
8562d7ac3ef9ecafbcbedfc5aeb4d4d0 2009.1/i586/php-shmop-5.2.9-6.2mdv2009.1.i586.rpm
e1613016a170a96713fcf6da6682477a 2009.1/i586/php-snmp-5.2.9-6.2mdv2009.1.i586.rpm
2e0a5ce706ab444411fc63bfd3e9c8e6 2009.1/i586/php-soap-5.2.9-6.2mdv2009.1.i586.rpm
d625751f8c8e4abdf1d362142d76c787 2009.1/i586/php-sockets-5.2.9-6.2mdv2009.1.i586.rpm
36dbb23dee2862046ce74ad84b8dd0fe 2009.1/i586/php-sqlite-5.2.9-6.2mdv2009.1.i586.rpm
0a50e296bbcb03f1eae5e1842b719fcc 2009.1/i586/php-sybase-5.2.9-6.2mdv2009.1.i586.rpm
de1659a6aff4c99b63dc8c1164d2fe61 2009.1/i586/php-sysvmsg-5.2.9-6.2mdv2009.1.i586.rpm
2189b13becc4418b0c298ee139b4f8f2 2009.1/i586/php-sysvsem-5.2.9-6.2mdv2009.1.i586.rpm
eeeb083fd84b49c50fb6bfb402332dc1 2009.1/i586/php-sysvshm-5.2.9-6.2mdv2009.1.i586.rpm
99a1a6307e2e25ebd77932496a76efe8 2009.1/i586/php-tidy-5.2.9-6.2mdv2009.1.i586.rpm
5eb2422032a81fd035ed0a835e264fa2 2009.1/i586/php-tokenizer-5.2.9-6.2mdv2009.1.i586.rpm
0a372bc1e6df667a9d26c6218ad0a8c6 2009.1/i586/php-wddx-5.2.9-6.2mdv2009.1.i586.rpm
a0b1cd31b14ab59fd5be536a7e5701c9 2009.1/i586/php-xml-5.2.9-6.2mdv2009.1.i586.rpm
5046cfd407bfd096fa615ab44f8415a1 2009.1/i586/php-xmlreader-5.2.9-6.2mdv2009.1.i586.rpm
0b8fd99b5c6de57491d43e9e691b6dcb 2009.1/i586/php-xmlrpc-5.2.9-6.2mdv2009.1.i586.rpm
58bd68197b5d38eca13d24cad5a50e36 2009.1/i586/php-xmlwriter-5.2.9-6.2mdv2009.1.i586.rpm
c062198e507c9b17a27eed035ffe1eb5 2009.1/i586/php-xsl-5.2.9-6.2mdv2009.1.i586.rpm
4d5c7dc89e290ed2366d5bfd33584c56 2009.1/i586/php-zip-5.2.9-6.2mdv2009.1.i586.rpm
c7c66b802cc467f02b1b88bdc18b5aa5 2009.1/i586/php-zlib-5.2.9-6.2mdv2009.1.i586.rpm
14ce077421185006aca3c756375f008b 2009.1/SRPMS/php-5.2.9-6.2mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
87161d3c159b4ef92ff2496ccac2df7a 2009.1/x86_64/lib64php5_common5-5.2.9-6.2mdv2009.1.x86_64.rpm
2cdc374b15af8866d1570ac45adc2d19 2009.1/x86_64/php-bcmath-5.2.9-6.2mdv2009.1.x86_64.rpm
aa3e358a57c536a98e08862d310b130d 2009.1/x86_64/php-bz2-5.2.9-6.2mdv2009.1.x86_64.rpm
089b7350d826be1e602c212997ca43aa 2009.1/x86_64/php-calendar-5.2.9-6.2mdv2009.1.x86_64.rpm
e05cfd39d2acaf7b0c747205afdbafd8 2009.1/x86_64/php-cgi-5.2.9-6.2mdv2009.1.x86_64.rpm
e52616165bae90bc50434645ae889ba2 2009.1/x86_64/php-cli-5.2.9-6.2mdv2009.1.x86_64.rpm
02f92d9ccbeed27c68f999a08ae1bb74 2009.1/x86_64/php-ctype-5.2.9-6.2mdv2009.1.x86_64.rpm
4a4f312fa9c8b47c85346fe43ee280fe 2009.1/x86_64/php-curl-5.2.9-6.2mdv2009.1.x86_64.rpm
d50ecf0df916ba2b005ed9aef6b7ee00 2009.1/x86_64/php-dba-5.2.9-6.2mdv2009.1.x86_64.rpm
8bb5fecba66fa1f45818841c2e3119c7 2009.1/x86_64/php-dbase-5.2.9-6.2mdv2009.1.x86_64.rpm
29e26f8dd9992765b9ab115695d53487 2009.1/x86_64/php-devel-5.2.9-6.2mdv2009.1.x86_64.rpm
2fbbef91b647b73ecb28a16e0b20c488 2009.1/x86_64/php-dom-5.2.9-6.2mdv2009.1.x86_64.rpm
963db6b3a197618b2909ff47c03ec93e 2009.1/x86_64/php-exif-5.2.9-6.2mdv2009.1.x86_64.rpm
46c2a26f74d9a0b05f31f435d2e52d12 2009.1/x86_64/php-fcgi-5.2.9-6.2mdv2009.1.x86_64.rpm
b7cd04b9c3cda09a22fce1bac23269b3 2009.1/x86_64/php-filter-5.2.9-6.2mdv2009.1.x86_64.rpm
080bffb0d573549dfedd92580ff9d52d 2009.1/x86_64/php-ftp-5.2.9-6.2mdv2009.1.x86_64.rpm
0911154fa6039a0afe2a9ed97641171c 2009.1/x86_64/php-gd-5.2.9-6.2mdv2009.1.x86_64.rpm
dd674b3c6e2a947efd3b7141950461a5 2009.1/x86_64/php-gettext-5.2.9-6.2mdv2009.1.x86_64.rpm
ed7f7469ea0a25d7ccf3c8cfb1f9e636 2009.1/x86_64/php-gmp-5.2.9-6.2mdv2009.1.x86_64.rpm
286eaef3b1cc89b4731d56d59ab981a7 2009.1/x86_64/php-hash-5.2.9-6.2mdv2009.1.x86_64.rpm
3b872a3a221f411ade41c99cb7d51fb8 2009.1/x86_64/php-iconv-5.2.9-6.2mdv2009.1.x86_64.rpm
0b256ee66d4cbe6c2b4c73c2595edc43 2009.1/x86_64/php-imap-5.2.9-6.2mdv2009.1.x86_64.rpm
32650ba3e635036500b581778352f584 2009.1/x86_64/php-json-5.2.9-6.2mdv2009.1.x86_64.rpm
147f7913e5aafa98babee853a95ac8de 2009.1/x86_64/php-ldap-5.2.9-6.2mdv2009.1.x86_64.rpm
a6ba9f430e1d6d99e082aefed08711da 2009.1/x86_64/php-mbstring-5.2.9-6.2mdv2009.1.x86_64.rpm
8b2b749896ab0468242362ab350a5865 2009.1/x86_64/php-mcrypt-5.2.9-6.2mdv2009.1.x86_64.rpm
01ce4ab0320c725e2081f2d79e5969a1 2009.1/x86_64/php-mhash-5.2.9-6.2mdv2009.1.x86_64.rpm
310b3bc146d06143f0f7d92d7816459d 2009.1/x86_64/php-mime_magic-5.2.9-6.2mdv2009.1.x86_64.rpm
a860f058befbed412bc8e1112c22eefd 2009.1/x86_64/php-ming-5.2.9-6.2mdv2009.1.x86_64.rpm
56e0cae3517d53962295eecbaab3119e 2009.1/x86_64/php-mssql-5.2.9-6.2mdv2009.1.x86_64.rpm
65be7a2aa882dbe0a416319c3fe6b1af 2009.1/x86_64/php-mysql-5.2.9-6.2mdv2009.1.x86_64.rpm
5f50ead57339280cfc8115483d1b9cb7 2009.1/x86_64/php-mysqli-5.2.9-6.2mdv2009.1.x86_64.rpm
2960093a83589892d2fce5dfb3d3498b 2009.1/x86_64/php-ncurses-5.2.9-6.2mdv2009.1.x86_64.rpm
2c933d73b441c02a43739f475cee4ea7 2009.1/x86_64/php-odbc-5.2.9-6.2mdv2009.1.x86_64.rpm
0eac641892d2cfbf871ea8aa1f2fd2e8 2009.1/x86_64/php-openssl-5.2.9-6.2mdv2009.1.x86_64.rpm
701c71a52ff7d776e42f8d1bdea592cd 2009.1/x86_64/php-pcntl-5.2.9-6.2mdv2009.1.x86_64.rpm
632035edb60e13778978ac51bb69c849 2009.1/x86_64/php-pdo-5.2.9-6.2mdv2009.1.x86_64.rpm
be87405c1568f2b3c6c53eea74c422e6 2009.1/x86_64/php-pdo_dblib-5.2.9-6.2mdv2009.1.x86_64.rpm
3daf4fd63832ccfbe876c998ab321d3b 2009.1/x86_64/php-pdo_mysql-5.2.9-6.2mdv2009.1.x86_64.rpm
54b7a7bec908451404f229103a9a5127 2009.1/x86_64/php-pdo_odbc-5.2.9-6.2mdv2009.1.x86_64.rpm
25ccde4246c6204dfaa769d54eff97a7 2009.1/x86_64/php-pdo_pgsql-5.2.9-6.2mdv2009.1.x86_64.rpm
44359c40034cc2f19faff6ae6ae9e121 2009.1/x86_64/php-pdo_sqlite-5.2.9-6.2mdv2009.1.x86_64.rpm
ed77502e3b459fa4ca802a3cdb30f308 2009.1/x86_64/php-pgsql-5.2.9-6.2mdv2009.1.x86_64.rpm
9fc636d9e9586bc7c21998fad4aee576 2009.1/x86_64/php-posix-5.2.9-6.2mdv2009.1.x86_64.rpm
7dbcddb6aed8923bd042e1335716e311 2009.1/x86_64/php-pspell-5.2.9-6.2mdv2009.1.x86_64.rpm
f5fcaac786dfd831d59ea8ad6fc28038 2009.1/x86_64/php-readline-5.2.9-6.2mdv2009.1.x86_64.rpm
77eac443f9815c6d0ef8e8fd568db4ee 2009.1/x86_64/php-recode-5.2.9-6.2mdv2009.1.x86_64.rpm
856bf3e9057af8bde882438ad1eee118 2009.1/x86_64/php-session-5.2.9-6.2mdv2009.1.x86_64.rpm
69cca73c0beddcb52e446d63a73d21e5 2009.1/x86_64/php-shmop-5.2.9-6.2mdv2009.1.x86_64.rpm
5d8581b3f8e53b8f52da2da0a73884cc 2009.1/x86_64/php-snmp-5.2.9-6.2mdv2009.1.x86_64.rpm
29ea7403270f17ec5bd30b9112205411 2009.1/x86_64/php-soap-5.2.9-6.2mdv2009.1.x86_64.rpm
e93c577279cb9cb056bba35e2b186bff 2009.1/x86_64/php-sockets-5.2.9-6.2mdv2009.1.x86_64.rpm
3bc830edc296be56698d4f13a3ff88e8 2009.1/x86_64/php-sqlite-5.2.9-6.2mdv2009.1.x86_64.rpm
e121a968ed9ef0973768b780f76f8d32 2009.1/x86_64/php-sybase-5.2.9-6.2mdv2009.1.x86_64.rpm
fb49c489aee9191893c0938ae9cb8e92 2009.1/x86_64/php-sysvmsg-5.2.9-6.2mdv2009.1.x86_64.rpm
e9aaeeed090a397dc7c003987429de0b 2009.1/x86_64/php-sysvsem-5.2.9-6.2mdv2009.1.x86_64.rpm
01f1e4c93d7e6382144f20bb59b2ef70 2009.1/x86_64/php-sysvshm-5.2.9-6.2mdv2009.1.x86_64.rpm
6267e5a98a49282341ea3dc179924d5e 2009.1/x86_64/php-tidy-5.2.9-6.2mdv2009.1.x86_64.rpm
92acb690eb21aa10409c84ff68eef490 2009.1/x86_64/php-tokenizer-5.2.9-6.2mdv2009.1.x86_64.rpm
4525cab46df252d7599cefa4627ab0c3 2009.1/x86_64/php-wddx-5.2.9-6.2mdv2009.1.x86_64.rpm
3ba5b1bec63ba7291223826530f33e7b 2009.1/x86_64/php-xml-5.2.9-6.2mdv2009.1.x86_64.rpm
22731636ce30cf7913ca761d46730159 2009.1/x86_64/php-xmlreader-5.2.9-6.2mdv2009.1.x86_64.rpm
d247b289eb6f6e88cfe17c2e7013a569 2009.1/x86_64/php-xmlrpc-5.2.9-6.2mdv2009.1.x86_64.rpm
0a00ebcb1987da46f68dc21dc007cad9 2009.1/x86_64/php-xmlwriter-5.2.9-6.2mdv2009.1.x86_64.rpm
fad982207327d8e636c6f691e842755b 2009.1/x86_64/php-xsl-5.2.9-6.2mdv2009.1.x86_64.rpm
bbda8f6739f36ba02e858840c5070a75 2009.1/x86_64/php-zip-5.2.9-6.2mdv2009.1.x86_64.rpm
d40567ee2da7a95b876bff21b748ca3e 2009.1/x86_64/php-zlib-5.2.9-6.2mdv2009.1.x86_64.rpm
14ce077421185006aca3c756375f008b 2009.1/SRPMS/php-5.2.9-6.2mdv2009.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFKvPNGmqjQ0CJFipgRAjbJAJ0SV+VlWt41Ne7Zk9zYP2gR9bLkOgCggoJr
FZ9YGT2ZplNudvKNgYo0c0k=
=eYIU
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists