[Security Announce] [ MDKSA-2006:144 ] - Updated php packages fix vulnerability
Posted on: 08/21/2006 07:42 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2006:144
http://www.mandriva.com/security/
_______________________________________________________________________

Package : php
Date : August 21, 2006
Affected: 2006.0, Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

A vulnerability was discovered in the sscanf function that could allow
attackers in certain circumstances to execute arbitrary code via
argument swapping which incremented an index past the end of an array
and triggered a buffer over-read.

Updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4020
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
c4156de63b5b04c72129e275184c8589 2006.0/RPMS/libphp5_common5-5.0.4-9.13.20060mdk.i586.rpm
d8a272fb6115fcb185bf273307cfa945 2006.0/RPMS/php-cgi-5.0.4-9.13.20060mdk.i586.rpm
1cdca894d3ec7810c031329bf9b022b5 2006.0/RPMS/php-cli-5.0.4-9.13.20060mdk.i586.rpm
5729200eecf5a7e8e7113f4b43116723 2006.0/RPMS/php-devel-5.0.4-9.13.20060mdk.i586.rpm
8fa33cfb6ccdd669f27ba1686db24fcd 2006.0/RPMS/php-fcgi-5.0.4-9.13.20060mdk.i586.rpm
60462a513b931f23a15d7b4e6af9af90 2006.0/SRPMS/php-5.0.4-9.13.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
a05922ab7f687dbe9cd74b5546e2ec4f x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.13.20060mdk.x86_64.rpm
00599ac74cb16ef47988addae1a01e94 x86_64/2006.0/RPMS/php-cgi-5.0.4-9.13.20060mdk.x86_64.rpm
0b4ff38a92b2ddf41a25abe1155b6bb8 x86_64/2006.0/RPMS/php-cli-5.0.4-9.13.20060mdk.x86_64.rpm
39eda4d79d65a2ce4f0f9b8d2f66414d x86_64/2006.0/RPMS/php-devel-5.0.4-9.13.20060mdk.x86_64.rpm
be71b05ae1fdb0a38bd5a5831cdb7b2f x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.13.20060mdk.x86_64.rpm
60462a513b931f23a15d7b4e6af9af90 x86_64/2006.0/SRPMS/php-5.0.4-9.13.20060mdk.src.rpm

Corporate 3.0:
e78d38e4f23349aef5fd8fb0ce21f9ed corporate/3.0/RPMS/libphp_common432-4.3.4-4.19.C30mdk.i586.rpm
e02ce53ce1a53d1d2868c7751bfdb4e5 corporate/3.0/RPMS/php432-devel-4.3.4-4.19.C30mdk.i586.rpm
f911c1968c8c4600e304da4cbf6cd91b corporate/3.0/RPMS/php-cgi-4.3.4-4.19.C30mdk.i586.rpm
1555db6b00d118207bb07ef987dea7d0 corporate/3.0/RPMS/php-cli-4.3.4-4.19.C30mdk.i586.rpm
cac345df4a30ed6668aae005b88c5469 corporate/3.0/SRPMS/php-4.3.4-4.19.C30mdk.src.rpm

Corporate 3.0/X86_64:
1af2ab4b349ba0e751716a915b2da80c x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.19.C30mdk.x86_64.rpm
ba056de7a5bc14e1d013b64bd83cd765 x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.19.C30mdk.x86_64.rpm
d15a90260a0b2d0a5b9c3d5a24e18b93 x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.19.C30mdk.x86_64.rpm
ab47db1054598cd47994044be0d58f2a x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.19.C30mdk.x86_64.rpm
cac345df4a30ed6668aae005b88c5469 x86_64/corporate/3.0/SRPMS/php-4.3.4-4.19.C30mdk.src.rpm

Multi Network Firewall 2.0:
c148d89f0bf1c0f6079fe83ef6718402 mnf/2.0/RPMS/libphp_common432-4.3.4-4.19.M20mdk.i586.rpm
1697ade79fd11a329c68b3ed525facf5 mnf/2.0/RPMS/php432-devel-4.3.4-4.19.M20mdk.i586.rpm
f1085937ffe9b8f77cb9ce0d5f6f6e51 mnf/2.0/RPMS/php-cgi-4.3.4-4.19.M20mdk.i586.rpm
85065b170be58a5d6b7248cef13e2404 mnf/2.0/RPMS/php-cli-4.3.4-4.19.M20mdk.i586.rpm
80d16af425dc23129b0bf396344f83d5 mnf/2.0/SRPMS/php-4.3.4-4.19.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFE6f+7mqjQ0CJFipgRAgO4AKCmZjvytxb9tyay3hAE/j1rL94SbgCgrwcv
tfGZbize4boWnozuGCE0KRc=
=umgx
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2006144__updated_php_packages_fix_vulnerability.html)