lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <E1UPuWK-0003hI-O0@titan.mandriva.com>
Date: Wed, 10 Apr 2013 14:53:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2013:114 ] php

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:114
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : php
 Date    : April 10, 2013
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in php:
 
 ext/soap/soap.c in PHP before 5.3.22 and 5.4.x before 5.4.13 does not
 validate the relationship between the soap.wsdl_cache_dir directive
 and the open_basedir directive, which allows remote attackers to
 bypass intended access restrictions by triggering the creation of
 cached SOAP WSDL files in an arbitrary directory (CVE-2013-1635).
 
 The SOAP parser in PHP before 5.3.22 and 5.4.x before 5.4.13 allows
 remote attackers to read arbitrary files via a SOAP WSDL file
 containing an XML external entity declaration in conjunction with an
 entity reference, related to an XML External Entity (XXE) issue in the
 soap_xmlParseFile and soap_xmlParseMemory functions (CVE-2013-1643).
 
 Backported upstream php bug #61930: &quot;openssl corrupts ssl key resource
 when using openssl_get_publickey\(\)&quot; to php-5.3.x.
 
 The new Powered by Mageia logo has been added to php, this is only
 a cosmetic change.
 
 The php-timezonedb package has been updated to the 2013.2 version.
 
 The updated packages have been upgraded to the 5.3.23 version which
 is not vulnerable to these issues.
 
 Additionally, some packages which requires so has been rebuilt for
 php-5.3.23.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643
 http://www.php.net/ChangeLog-5.php#5.3.21
 http://www.php.net/ChangeLog-5.php#5.3.22
 http://www.php.net/ChangeLog-5.php#5.3.23
 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0101
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 eb6ccf6a13897bb2b4b30778f5ce7848  mbs1/x86_64/apache-mod_php-5.3.23-1.mbs1.x86_64.rpm
 ee1fdaed1a91d6f74ca46600d3cb240a  mbs1/x86_64/lib64php5_common5-5.3.23-1.mbs1.x86_64.rpm
 c59afaf09a3ca2202f0d3e9620f93f92  mbs1/x86_64/php-apc-3.1.13-3.1.mbs1.x86_64.rpm
 424ba242a62047e79bcbe6f70a36eec6  mbs1/x86_64/php-apc-admin-3.1.13-3.1.mbs1.x86_64.rpm
 f139875e195d5c91b363ef392d60a3e9  mbs1/x86_64/php-bcmath-5.3.23-1.mbs1.x86_64.rpm
 bc8a33e468888eba340ce69386f51c8f  mbs1/x86_64/php-bz2-5.3.23-1.mbs1.x86_64.rpm
 1d72629b7d725a2c41d1ba551598d72b  mbs1/x86_64/php-calendar-5.3.23-1.mbs1.x86_64.rpm
 b91c8bc22715ac6f4a2b129a7dd1364e  mbs1/x86_64/php-cgi-5.3.23-1.mbs1.x86_64.rpm
 3bf8efe0a4dfbaf6967f90bca4f022d4  mbs1/x86_64/php-cli-5.3.23-1.mbs1.x86_64.rpm
 ccaf20ad83032d06b5a9b257ff24756a  mbs1/x86_64/php-ctype-5.3.23-1.mbs1.x86_64.rpm
 1063fb382d0b814296ad485ab5e2c914  mbs1/x86_64/php-curl-5.3.23-1.mbs1.x86_64.rpm
 d512b62fe970405c734387e60cbde8b8  mbs1/x86_64/php-dba-5.3.23-1.mbs1.x86_64.rpm
 95664c6ab5183e2afc8c0b410b22ecd7  mbs1/x86_64/php-devel-5.3.23-1.mbs1.x86_64.rpm
 da123cdd42b0278b62dff3f18f37cc1e  mbs1/x86_64/php-dom-5.3.23-1.mbs1.x86_64.rpm
 4576f66587c6da5673291d5d1c8af435  mbs1/x86_64/php-eaccelerator-0.9.6.1-12.1.mbs1.x86_64.rpm
 2bd5abdea51eaf8df617525b3262afb8  mbs1/x86_64/php-eaccelerator-admin-0.9.6.1-12.1.mbs1.x86_64.rpm
 938464525bd4d41ad3120f582f1b40b2  mbs1/x86_64/php-enchant-5.3.23-1.mbs1.x86_64.rpm
 f6e01db91f3c584762868904f9eb2df2  mbs1/x86_64/php-exif-5.3.23-1.mbs1.x86_64.rpm
 535881b0d30432066f729b39dbfc7f23  mbs1/x86_64/php-fileinfo-5.3.23-1.mbs1.x86_64.rpm
 037c2ace3ac0854acffadd830e75344a  mbs1/x86_64/php-filter-5.3.23-1.mbs1.x86_64.rpm
 5f03f3c7c3201044f990f575c0985df3  mbs1/x86_64/php-fpm-5.3.23-1.mbs1.x86_64.rpm
 480b6fde89a8877df1dc49382652e05d  mbs1/x86_64/php-ftp-5.3.23-1.mbs1.x86_64.rpm
 99d3625cd8905d103bbed17b6c8fafca  mbs1/x86_64/php-gd-5.3.23-1.mbs1.x86_64.rpm
 606434d7273a7d7355d800707b4deb81  mbs1/x86_64/php-gd-bundled-5.3.23-1.mbs1.x86_64.rpm
 736eb71aca03cccc7fc22f5918b7789b  mbs1/x86_64/php-gettext-5.3.23-1.mbs1.x86_64.rpm
 abcaf21e8cb6af5672c93f38f1b00fe5  mbs1/x86_64/php-gmp-5.3.23-1.mbs1.x86_64.rpm
 69599e7619b4b96ff571f4bd99c3654c  mbs1/x86_64/php-hash-5.3.23-1.mbs1.x86_64.rpm
 09ffb17b8e21a84c073a522db05c4718  mbs1/x86_64/php-iconv-5.3.23-1.mbs1.x86_64.rpm
 09cadf9049e70170828450320a236423  mbs1/x86_64/php-imap-5.3.23-1.mbs1.x86_64.rpm
 e2b47a2e79d8d3978e3c69f7d8c01dfd  mbs1/x86_64/php-ini-5.3.23-1.mbs1.x86_64.rpm
 921b86c9f3ed247b00a256ceb1197f0d  mbs1/x86_64/php-intl-5.3.23-1.mbs1.x86_64.rpm
 f8370d7d004bfcb9f6e1cb218f807057  mbs1/x86_64/php-json-5.3.23-1.mbs1.x86_64.rpm
 f364d67ab3fb1fe80fd9ec8bf7394009  mbs1/x86_64/php-ldap-5.3.23-1.mbs1.x86_64.rpm
 02251d66f44163a10b8d889676e666cc  mbs1/x86_64/php-mbstring-5.3.23-1.mbs1.x86_64.rpm
 042b1829cce5f61ebedcc5f30ff20035  mbs1/x86_64/php-mcrypt-5.3.23-1.mbs1.x86_64.rpm
 b447078948b75a40d5b30dee81c6976a  mbs1/x86_64/php-mssql-5.3.23-1.mbs1.x86_64.rpm
 6f1b43c82c93443ec96753e9a84950cc  mbs1/x86_64/php-mysql-5.3.23-1.mbs1.x86_64.rpm
 c043a03652e4a352d90c339d8514ab20  mbs1/x86_64/php-mysqli-5.3.23-1.mbs1.x86_64.rpm
 022f739ee9bd47b400cb6e9ef0076d0f  mbs1/x86_64/php-mysqlnd-5.3.23-1.mbs1.x86_64.rpm
 aee527e1c4395bcf47489f5de3e85973  mbs1/x86_64/php-odbc-5.3.23-1.mbs1.x86_64.rpm
 0b12307f28b2ade2a479b1c657106b93  mbs1/x86_64/php-openssl-5.3.23-1.mbs1.x86_64.rpm
 fc8d9c25b960e6dcae3095423fd7eb7b  mbs1/x86_64/php-pcntl-5.3.23-1.mbs1.x86_64.rpm
 87da241b0b678b8d44036ef12263290a  mbs1/x86_64/php-pdo-5.3.23-1.mbs1.x86_64.rpm
 9374747577701c69881eb840142cc7c5  mbs1/x86_64/php-pdo_dblib-5.3.23-1.mbs1.x86_64.rpm
 d84f86e6302c0ab9c8850d739ed06417  mbs1/x86_64/php-pdo_mysql-5.3.23-1.mbs1.x86_64.rpm
 d79d7e295921a4749ffa6d2276a79cb0  mbs1/x86_64/php-pdo_odbc-5.3.23-1.mbs1.x86_64.rpm
 8c44da08c42ba9f444be6a1365130a33  mbs1/x86_64/php-pdo_pgsql-5.3.23-1.mbs1.x86_64.rpm
 dbbf50c04c22723161d2ab414bc4a701  mbs1/x86_64/php-pdo_sqlite-5.3.23-1.mbs1.x86_64.rpm
 84c27f0e6ac5ba3a4fc85090c66cd100  mbs1/x86_64/php-pgsql-5.3.23-1.mbs1.x86_64.rpm
 86a562bb7ba15f4c11a09dc907d06c41  mbs1/x86_64/php-phar-5.3.23-1.mbs1.x86_64.rpm
 f5ebb6199467a8ae183d4453a5ea1eee  mbs1/x86_64/php-posix-5.3.23-1.mbs1.x86_64.rpm
 88a900d553ed56c44b720f5d0d00062d  mbs1/x86_64/php-readline-5.3.23-1.mbs1.x86_64.rpm
 a00f749487581e96a2ffb5bd5e001d6d  mbs1/x86_64/php-recode-5.3.23-1.mbs1.x86_64.rpm
 6f43b086944ca0a4a50502b9097293d4  mbs1/x86_64/php-session-5.3.23-1.mbs1.x86_64.rpm
 e35c2531bf22feeed4c18f4e51c56520  mbs1/x86_64/php-shmop-5.3.23-1.mbs1.x86_64.rpm
 3203ebcfe63025bab1d064ee1a8f0b7f  mbs1/x86_64/php-snmp-5.3.23-1.mbs1.x86_64.rpm
 4f1e87045f17c52c91df55e42fdc268c  mbs1/x86_64/php-soap-5.3.23-1.mbs1.x86_64.rpm
 cbbf0e4f53c9030b17dc930fbf9d4ddf  mbs1/x86_64/php-sockets-5.3.23-1.mbs1.x86_64.rpm
 90c9245030104e2ac3ecc003cf41d8f2  mbs1/x86_64/php-sqlite3-5.3.23-1.mbs1.x86_64.rpm
 a39a2a36b098ca4960b96e280a5c72b8  mbs1/x86_64/php-sqlite-5.3.23-1.mbs1.x86_64.rpm
 ccbcf8d7306343b66ef50c0dea072fc5  mbs1/x86_64/php-sybase_ct-5.3.23-1.mbs1.x86_64.rpm
 06fb9ca27561b796288631dec9b8350e  mbs1/x86_64/php-sysvmsg-5.3.23-1.mbs1.x86_64.rpm
 dd660a7502a3a57d660e31b55ddfad32  mbs1/x86_64/php-sysvsem-5.3.23-1.mbs1.x86_64.rpm
 7fd98dbf4efd765bd0e4d0862c8597cc  mbs1/x86_64/php-sysvshm-5.3.23-1.mbs1.x86_64.rpm
 fe595b63d0935c9a5eebb000de353cd0  mbs1/x86_64/php-tidy-5.3.23-1.mbs1.x86_64.rpm
 9bcb3d7095bc612a8206df87b6baee13  mbs1/x86_64/php-timezonedb-2013.2-1.mbs1.x86_64.rpm
 fe308ad9075cca7013b00c01f55dafca  mbs1/x86_64/php-tokenizer-5.3.23-1.mbs1.x86_64.rpm
 3da940b28fc5abe1136711417c9f3e41  mbs1/x86_64/php-wddx-5.3.23-1.mbs1.x86_64.rpm
 e56f637f9b6291e53aad9b82b97ddae1  mbs1/x86_64/php-xml-5.3.23-1.mbs1.x86_64.rpm
 1ed6a886fd870ac55eb816fc5cc6721e  mbs1/x86_64/php-xmlreader-5.3.23-1.mbs1.x86_64.rpm
 3e6014db54a5daaca554df6a922e42e8  mbs1/x86_64/php-xmlrpc-5.3.23-1.mbs1.x86_64.rpm
 6c8b227163654bda270427918e12ab2f  mbs1/x86_64/php-xmlwriter-5.3.23-1.mbs1.x86_64.rpm
 5d24ec3dd271a844065c92c4289b7fd5  mbs1/x86_64/php-xsl-5.3.23-1.mbs1.x86_64.rpm
 ebd190fa53ef1aee2fb72fa6600fbaa8  mbs1/x86_64/php-zip-5.3.23-1.mbs1.x86_64.rpm
 1b94e4caf7dbbf2337de70e7ff25f545  mbs1/x86_64/php-zlib-5.3.23-1.mbs1.x86_64.rpm 
 60a622b6a226b21fee50fe74a3183501  mbs1/SRPMS/php-5.3.23-1.mbs1.src.rpm
 b70b0f87c49a6b768b72279e9bb23ff4  mbs1/SRPMS/php-apc-3.1.13-3.1.mbs1.src.rpm
 c02d1d4cb37565033aadb6f2422e2b99  mbs1/SRPMS/php-eaccelerator-0.9.6.1-12.1.mbs1.src.rpm
 d8675e1e6ffca04b8721734927e4d101  mbs1/SRPMS/php-gd-bundled-5.3.23-1.mbs1.src.rpm
 d776aa8a353feff61280e9c75271c44d  mbs1/SRPMS/php-timezonedb-2013.2-1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFRZThFmqjQ0CJFipgRAqfiAKDqyVYfEMk4Ab6ahTzKU67czRxLNgCgjzEd
KoH2+wOnRRA2vdv1RddRYlA=
=LR6m
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ