lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1MrGiy-0007Nz-Jv@titan.mandriva.com>
Date: Fri, 25 Sep 2009 21:45:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:248 ] php


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:248
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : php
 Date    : September 25, 2009
 Affected: 2009.1
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities was discovered and corrected in php:
 
 The php_openssl_apply_verification_policy function in PHP before
 5.2.11 does not properly perform certificate validation, which has
 unknown impact and attack vectors, probably related to an ability to
 spoof certificates (CVE-2009-3291).
 
 Unspecified vulnerability in PHP before 5.2.11 has unknown impact
 and attack vectors related to missing sanity checks around exif
 processing. (CVE-2009-3292)
 
 Unspecified vulnerability in the imagecolortransparent function in
 PHP before 5.2.11 has unknown impact and attack vectors related to an
 incorrect sanity check for the color index. (CVE-2009-3293). However
 in Mandriva we don't use the bundled libgd source in php per default,
 there is a unsupported package in contrib named php-gd-bundled that
 eventually will get updated to pickup these fixes.
 
 This update provides a solution to these vulnerabilities.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3291
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3292
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3293
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.1:
 85e87867b1548801a6c2db93fc18fb9d  2009.1/i586/libphp5_common5-5.2.9-6.2mdv2009.1.i586.rpm
 522dceebef8202cddd695f9962db1f18  2009.1/i586/php-bcmath-5.2.9-6.2mdv2009.1.i586.rpm
 e4f245c0c1f296a7c3adac8daf7125d8  2009.1/i586/php-bz2-5.2.9-6.2mdv2009.1.i586.rpm
 530e87e21a18e61a70d174213e51e3f1  2009.1/i586/php-calendar-5.2.9-6.2mdv2009.1.i586.rpm
 d8075e6ce477d0c2c980696870b7d32c  2009.1/i586/php-cgi-5.2.9-6.2mdv2009.1.i586.rpm
 17bdfb65700ac9515e89104afe26fc7c  2009.1/i586/php-cli-5.2.9-6.2mdv2009.1.i586.rpm
 03719088b010f503a60a9b60d55d268d  2009.1/i586/php-ctype-5.2.9-6.2mdv2009.1.i586.rpm
 4d16e8a053e2c619e9b66ca8ad00394c  2009.1/i586/php-curl-5.2.9-6.2mdv2009.1.i586.rpm
 a229d229ec0c305532a9d522727ca817  2009.1/i586/php-dba-5.2.9-6.2mdv2009.1.i586.rpm
 d3c14dbf23f93d6f3f348f116a26acb1  2009.1/i586/php-dbase-5.2.9-6.2mdv2009.1.i586.rpm
 b449e0fbe5dca4baa1bffac5bcc85e07  2009.1/i586/php-devel-5.2.9-6.2mdv2009.1.i586.rpm
 1dac1b2cc84dfbf9993f2aa26939ffb4  2009.1/i586/php-dom-5.2.9-6.2mdv2009.1.i586.rpm
 1ef14250dc32846e0395a07f4829d52c  2009.1/i586/php-exif-5.2.9-6.2mdv2009.1.i586.rpm
 d066223f07fdf6af0722848d82364348  2009.1/i586/php-fcgi-5.2.9-6.2mdv2009.1.i586.rpm
 aa3d6954c1e78d2653a52ecf16e471ff  2009.1/i586/php-filter-5.2.9-6.2mdv2009.1.i586.rpm
 35d3f28617e885a4e750bcd3a97ecba0  2009.1/i586/php-ftp-5.2.9-6.2mdv2009.1.i586.rpm
 9174368e959c14b7a5addd08d4874017  2009.1/i586/php-gd-5.2.9-6.2mdv2009.1.i586.rpm
 1af200e3d52ea023318a5495d541b1e4  2009.1/i586/php-gettext-5.2.9-6.2mdv2009.1.i586.rpm
 8c491c96a8ece15d5d60aa5aa2ceab0c  2009.1/i586/php-gmp-5.2.9-6.2mdv2009.1.i586.rpm
 ae5c5fcc780bdd07d88cfcd349d30e58  2009.1/i586/php-hash-5.2.9-6.2mdv2009.1.i586.rpm
 2a517cb53a676165d3a4de358c0f148e  2009.1/i586/php-iconv-5.2.9-6.2mdv2009.1.i586.rpm
 1a4c3ab931cd2df5a347170f36c338f7  2009.1/i586/php-imap-5.2.9-6.2mdv2009.1.i586.rpm
 37aba4274ae00ded7e087bbb8605f221  2009.1/i586/php-json-5.2.9-6.2mdv2009.1.i586.rpm
 c10f22cb6dcb0e5016c0535738132065  2009.1/i586/php-ldap-5.2.9-6.2mdv2009.1.i586.rpm
 5ef7cd867bfd5b2c329a3e4723f84247  2009.1/i586/php-mbstring-5.2.9-6.2mdv2009.1.i586.rpm
 3de9ad85e6bad9da2f028bb408e33da7  2009.1/i586/php-mcrypt-5.2.9-6.2mdv2009.1.i586.rpm
 0fc60371b161403a58c02e4f964d4b83  2009.1/i586/php-mhash-5.2.9-6.2mdv2009.1.i586.rpm
 5294173b4191fb03944840c8679967b0  2009.1/i586/php-mime_magic-5.2.9-6.2mdv2009.1.i586.rpm
 9df85b613e24cbd38b74978e4e28301c  2009.1/i586/php-ming-5.2.9-6.2mdv2009.1.i586.rpm
 f2113d23146f1a295579fe6fc012aa1f  2009.1/i586/php-mssql-5.2.9-6.2mdv2009.1.i586.rpm
 3d8b142f6a4b5290623ef5b28395cd36  2009.1/i586/php-mysql-5.2.9-6.2mdv2009.1.i586.rpm
 12e09193a2be5a3dfc960e9def73278f  2009.1/i586/php-mysqli-5.2.9-6.2mdv2009.1.i586.rpm
 1551a51c721087d3b92260d9f585274b  2009.1/i586/php-ncurses-5.2.9-6.2mdv2009.1.i586.rpm
 916f591a0a987ff98c92cde1cc961e5b  2009.1/i586/php-odbc-5.2.9-6.2mdv2009.1.i586.rpm
 7cf7be81f66e25ac0695644785808bfc  2009.1/i586/php-openssl-5.2.9-6.2mdv2009.1.i586.rpm
 f3ba03b40095cc1d08f1a1c725208e80  2009.1/i586/php-pcntl-5.2.9-6.2mdv2009.1.i586.rpm
 9814280eb36dc952fa84195dee51fcb9  2009.1/i586/php-pdo-5.2.9-6.2mdv2009.1.i586.rpm
 6eca042187056998cce3218d29b6fe64  2009.1/i586/php-pdo_dblib-5.2.9-6.2mdv2009.1.i586.rpm
 1db4d26269a9a625e8dd7fce3fb6fac3  2009.1/i586/php-pdo_mysql-5.2.9-6.2mdv2009.1.i586.rpm
 8fb1ec5235174c0f4f2aed4a059820d0  2009.1/i586/php-pdo_odbc-5.2.9-6.2mdv2009.1.i586.rpm
 48cbbd29283af0a26ef08f0a8c43764f  2009.1/i586/php-pdo_pgsql-5.2.9-6.2mdv2009.1.i586.rpm
 52057a39b6523cbdc8c345d55708a726  2009.1/i586/php-pdo_sqlite-5.2.9-6.2mdv2009.1.i586.rpm
 182deb058e30c6231b5e1b6e9c716773  2009.1/i586/php-pgsql-5.2.9-6.2mdv2009.1.i586.rpm
 77a01e22aabdcac128d332a49cdf22c2  2009.1/i586/php-posix-5.2.9-6.2mdv2009.1.i586.rpm
 43a6792914cedc5784a8d632c85906c2  2009.1/i586/php-pspell-5.2.9-6.2mdv2009.1.i586.rpm
 b45752be458fcdc318624aa8ec5b7282  2009.1/i586/php-readline-5.2.9-6.2mdv2009.1.i586.rpm
 69765de70de2a84fe5924e68d176c083  2009.1/i586/php-recode-5.2.9-6.2mdv2009.1.i586.rpm
 b1e80b8432ac9e51c80cdddbb26cd21a  2009.1/i586/php-session-5.2.9-6.2mdv2009.1.i586.rpm
 8562d7ac3ef9ecafbcbedfc5aeb4d4d0  2009.1/i586/php-shmop-5.2.9-6.2mdv2009.1.i586.rpm
 e1613016a170a96713fcf6da6682477a  2009.1/i586/php-snmp-5.2.9-6.2mdv2009.1.i586.rpm
 2e0a5ce706ab444411fc63bfd3e9c8e6  2009.1/i586/php-soap-5.2.9-6.2mdv2009.1.i586.rpm
 d625751f8c8e4abdf1d362142d76c787  2009.1/i586/php-sockets-5.2.9-6.2mdv2009.1.i586.rpm
 36dbb23dee2862046ce74ad84b8dd0fe  2009.1/i586/php-sqlite-5.2.9-6.2mdv2009.1.i586.rpm
 0a50e296bbcb03f1eae5e1842b719fcc  2009.1/i586/php-sybase-5.2.9-6.2mdv2009.1.i586.rpm
 de1659a6aff4c99b63dc8c1164d2fe61  2009.1/i586/php-sysvmsg-5.2.9-6.2mdv2009.1.i586.rpm
 2189b13becc4418b0c298ee139b4f8f2  2009.1/i586/php-sysvsem-5.2.9-6.2mdv2009.1.i586.rpm
 eeeb083fd84b49c50fb6bfb402332dc1  2009.1/i586/php-sysvshm-5.2.9-6.2mdv2009.1.i586.rpm
 99a1a6307e2e25ebd77932496a76efe8  2009.1/i586/php-tidy-5.2.9-6.2mdv2009.1.i586.rpm
 5eb2422032a81fd035ed0a835e264fa2  2009.1/i586/php-tokenizer-5.2.9-6.2mdv2009.1.i586.rpm
 0a372bc1e6df667a9d26c6218ad0a8c6  2009.1/i586/php-wddx-5.2.9-6.2mdv2009.1.i586.rpm
 a0b1cd31b14ab59fd5be536a7e5701c9  2009.1/i586/php-xml-5.2.9-6.2mdv2009.1.i586.rpm
 5046cfd407bfd096fa615ab44f8415a1  2009.1/i586/php-xmlreader-5.2.9-6.2mdv2009.1.i586.rpm
 0b8fd99b5c6de57491d43e9e691b6dcb  2009.1/i586/php-xmlrpc-5.2.9-6.2mdv2009.1.i586.rpm
 58bd68197b5d38eca13d24cad5a50e36  2009.1/i586/php-xmlwriter-5.2.9-6.2mdv2009.1.i586.rpm
 c062198e507c9b17a27eed035ffe1eb5  2009.1/i586/php-xsl-5.2.9-6.2mdv2009.1.i586.rpm
 4d5c7dc89e290ed2366d5bfd33584c56  2009.1/i586/php-zip-5.2.9-6.2mdv2009.1.i586.rpm
 c7c66b802cc467f02b1b88bdc18b5aa5  2009.1/i586/php-zlib-5.2.9-6.2mdv2009.1.i586.rpm 
 14ce077421185006aca3c756375f008b  2009.1/SRPMS/php-5.2.9-6.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 87161d3c159b4ef92ff2496ccac2df7a  2009.1/x86_64/lib64php5_common5-5.2.9-6.2mdv2009.1.x86_64.rpm
 2cdc374b15af8866d1570ac45adc2d19  2009.1/x86_64/php-bcmath-5.2.9-6.2mdv2009.1.x86_64.rpm
 aa3e358a57c536a98e08862d310b130d  2009.1/x86_64/php-bz2-5.2.9-6.2mdv2009.1.x86_64.rpm
 089b7350d826be1e602c212997ca43aa  2009.1/x86_64/php-calendar-5.2.9-6.2mdv2009.1.x86_64.rpm
 e05cfd39d2acaf7b0c747205afdbafd8  2009.1/x86_64/php-cgi-5.2.9-6.2mdv2009.1.x86_64.rpm
 e52616165bae90bc50434645ae889ba2  2009.1/x86_64/php-cli-5.2.9-6.2mdv2009.1.x86_64.rpm
 02f92d9ccbeed27c68f999a08ae1bb74  2009.1/x86_64/php-ctype-5.2.9-6.2mdv2009.1.x86_64.rpm
 4a4f312fa9c8b47c85346fe43ee280fe  2009.1/x86_64/php-curl-5.2.9-6.2mdv2009.1.x86_64.rpm
 d50ecf0df916ba2b005ed9aef6b7ee00  2009.1/x86_64/php-dba-5.2.9-6.2mdv2009.1.x86_64.rpm
 8bb5fecba66fa1f45818841c2e3119c7  2009.1/x86_64/php-dbase-5.2.9-6.2mdv2009.1.x86_64.rpm
 29e26f8dd9992765b9ab115695d53487  2009.1/x86_64/php-devel-5.2.9-6.2mdv2009.1.x86_64.rpm
 2fbbef91b647b73ecb28a16e0b20c488  2009.1/x86_64/php-dom-5.2.9-6.2mdv2009.1.x86_64.rpm
 963db6b3a197618b2909ff47c03ec93e  2009.1/x86_64/php-exif-5.2.9-6.2mdv2009.1.x86_64.rpm
 46c2a26f74d9a0b05f31f435d2e52d12  2009.1/x86_64/php-fcgi-5.2.9-6.2mdv2009.1.x86_64.rpm
 b7cd04b9c3cda09a22fce1bac23269b3  2009.1/x86_64/php-filter-5.2.9-6.2mdv2009.1.x86_64.rpm
 080bffb0d573549dfedd92580ff9d52d  2009.1/x86_64/php-ftp-5.2.9-6.2mdv2009.1.x86_64.rpm
 0911154fa6039a0afe2a9ed97641171c  2009.1/x86_64/php-gd-5.2.9-6.2mdv2009.1.x86_64.rpm
 dd674b3c6e2a947efd3b7141950461a5  2009.1/x86_64/php-gettext-5.2.9-6.2mdv2009.1.x86_64.rpm
 ed7f7469ea0a25d7ccf3c8cfb1f9e636  2009.1/x86_64/php-gmp-5.2.9-6.2mdv2009.1.x86_64.rpm
 286eaef3b1cc89b4731d56d59ab981a7  2009.1/x86_64/php-hash-5.2.9-6.2mdv2009.1.x86_64.rpm
 3b872a3a221f411ade41c99cb7d51fb8  2009.1/x86_64/php-iconv-5.2.9-6.2mdv2009.1.x86_64.rpm
 0b256ee66d4cbe6c2b4c73c2595edc43  2009.1/x86_64/php-imap-5.2.9-6.2mdv2009.1.x86_64.rpm
 32650ba3e635036500b581778352f584  2009.1/x86_64/php-json-5.2.9-6.2mdv2009.1.x86_64.rpm
 147f7913e5aafa98babee853a95ac8de  2009.1/x86_64/php-ldap-5.2.9-6.2mdv2009.1.x86_64.rpm
 a6ba9f430e1d6d99e082aefed08711da  2009.1/x86_64/php-mbstring-5.2.9-6.2mdv2009.1.x86_64.rpm
 8b2b749896ab0468242362ab350a5865  2009.1/x86_64/php-mcrypt-5.2.9-6.2mdv2009.1.x86_64.rpm
 01ce4ab0320c725e2081f2d79e5969a1  2009.1/x86_64/php-mhash-5.2.9-6.2mdv2009.1.x86_64.rpm
 310b3bc146d06143f0f7d92d7816459d  2009.1/x86_64/php-mime_magic-5.2.9-6.2mdv2009.1.x86_64.rpm
 a860f058befbed412bc8e1112c22eefd  2009.1/x86_64/php-ming-5.2.9-6.2mdv2009.1.x86_64.rpm
 56e0cae3517d53962295eecbaab3119e  2009.1/x86_64/php-mssql-5.2.9-6.2mdv2009.1.x86_64.rpm
 65be7a2aa882dbe0a416319c3fe6b1af  2009.1/x86_64/php-mysql-5.2.9-6.2mdv2009.1.x86_64.rpm
 5f50ead57339280cfc8115483d1b9cb7  2009.1/x86_64/php-mysqli-5.2.9-6.2mdv2009.1.x86_64.rpm
 2960093a83589892d2fce5dfb3d3498b  2009.1/x86_64/php-ncurses-5.2.9-6.2mdv2009.1.x86_64.rpm
 2c933d73b441c02a43739f475cee4ea7  2009.1/x86_64/php-odbc-5.2.9-6.2mdv2009.1.x86_64.rpm
 0eac641892d2cfbf871ea8aa1f2fd2e8  2009.1/x86_64/php-openssl-5.2.9-6.2mdv2009.1.x86_64.rpm
 701c71a52ff7d776e42f8d1bdea592cd  2009.1/x86_64/php-pcntl-5.2.9-6.2mdv2009.1.x86_64.rpm
 632035edb60e13778978ac51bb69c849  2009.1/x86_64/php-pdo-5.2.9-6.2mdv2009.1.x86_64.rpm
 be87405c1568f2b3c6c53eea74c422e6  2009.1/x86_64/php-pdo_dblib-5.2.9-6.2mdv2009.1.x86_64.rpm
 3daf4fd63832ccfbe876c998ab321d3b  2009.1/x86_64/php-pdo_mysql-5.2.9-6.2mdv2009.1.x86_64.rpm
 54b7a7bec908451404f229103a9a5127  2009.1/x86_64/php-pdo_odbc-5.2.9-6.2mdv2009.1.x86_64.rpm
 25ccde4246c6204dfaa769d54eff97a7  2009.1/x86_64/php-pdo_pgsql-5.2.9-6.2mdv2009.1.x86_64.rpm
 44359c40034cc2f19faff6ae6ae9e121  2009.1/x86_64/php-pdo_sqlite-5.2.9-6.2mdv2009.1.x86_64.rpm
 ed77502e3b459fa4ca802a3cdb30f308  2009.1/x86_64/php-pgsql-5.2.9-6.2mdv2009.1.x86_64.rpm
 9fc636d9e9586bc7c21998fad4aee576  2009.1/x86_64/php-posix-5.2.9-6.2mdv2009.1.x86_64.rpm
 7dbcddb6aed8923bd042e1335716e311  2009.1/x86_64/php-pspell-5.2.9-6.2mdv2009.1.x86_64.rpm
 f5fcaac786dfd831d59ea8ad6fc28038  2009.1/x86_64/php-readline-5.2.9-6.2mdv2009.1.x86_64.rpm
 77eac443f9815c6d0ef8e8fd568db4ee  2009.1/x86_64/php-recode-5.2.9-6.2mdv2009.1.x86_64.rpm
 856bf3e9057af8bde882438ad1eee118  2009.1/x86_64/php-session-5.2.9-6.2mdv2009.1.x86_64.rpm
 69cca73c0beddcb52e446d63a73d21e5  2009.1/x86_64/php-shmop-5.2.9-6.2mdv2009.1.x86_64.rpm
 5d8581b3f8e53b8f52da2da0a73884cc  2009.1/x86_64/php-snmp-5.2.9-6.2mdv2009.1.x86_64.rpm
 29ea7403270f17ec5bd30b9112205411  2009.1/x86_64/php-soap-5.2.9-6.2mdv2009.1.x86_64.rpm
 e93c577279cb9cb056bba35e2b186bff  2009.1/x86_64/php-sockets-5.2.9-6.2mdv2009.1.x86_64.rpm
 3bc830edc296be56698d4f13a3ff88e8  2009.1/x86_64/php-sqlite-5.2.9-6.2mdv2009.1.x86_64.rpm
 e121a968ed9ef0973768b780f76f8d32  2009.1/x86_64/php-sybase-5.2.9-6.2mdv2009.1.x86_64.rpm
 fb49c489aee9191893c0938ae9cb8e92  2009.1/x86_64/php-sysvmsg-5.2.9-6.2mdv2009.1.x86_64.rpm
 e9aaeeed090a397dc7c003987429de0b  2009.1/x86_64/php-sysvsem-5.2.9-6.2mdv2009.1.x86_64.rpm
 01f1e4c93d7e6382144f20bb59b2ef70  2009.1/x86_64/php-sysvshm-5.2.9-6.2mdv2009.1.x86_64.rpm
 6267e5a98a49282341ea3dc179924d5e  2009.1/x86_64/php-tidy-5.2.9-6.2mdv2009.1.x86_64.rpm
 92acb690eb21aa10409c84ff68eef490  2009.1/x86_64/php-tokenizer-5.2.9-6.2mdv2009.1.x86_64.rpm
 4525cab46df252d7599cefa4627ab0c3  2009.1/x86_64/php-wddx-5.2.9-6.2mdv2009.1.x86_64.rpm
 3ba5b1bec63ba7291223826530f33e7b  2009.1/x86_64/php-xml-5.2.9-6.2mdv2009.1.x86_64.rpm
 22731636ce30cf7913ca761d46730159  2009.1/x86_64/php-xmlreader-5.2.9-6.2mdv2009.1.x86_64.rpm
 d247b289eb6f6e88cfe17c2e7013a569  2009.1/x86_64/php-xmlrpc-5.2.9-6.2mdv2009.1.x86_64.rpm
 0a00ebcb1987da46f68dc21dc007cad9  2009.1/x86_64/php-xmlwriter-5.2.9-6.2mdv2009.1.x86_64.rpm
 fad982207327d8e636c6f691e842755b  2009.1/x86_64/php-xsl-5.2.9-6.2mdv2009.1.x86_64.rpm
 bbda8f6739f36ba02e858840c5070a75  2009.1/x86_64/php-zip-5.2.9-6.2mdv2009.1.x86_64.rpm
 d40567ee2da7a95b876bff21b748ca3e  2009.1/x86_64/php-zlib-5.2.9-6.2mdv2009.1.x86_64.rpm 
 14ce077421185006aca3c756375f008b  2009.1/SRPMS/php-5.2.9-6.2mdv2009.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKvPNGmqjQ0CJFipgRAjbJAJ0SV+VlWt41Ne7Zk9zYP2gR9bLkOgCggoJr
FZ9YGT2ZplNudvKNgYo0c0k=
=eYIU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ