Welcome to our website
To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.
[Security Announce] [ MDKSA-2006:063 ] - Updated php packages fix information disclosure vulnerability
Posted by Bob on: 04/04/2006 12:52 AM [ Print | 0 comment(s) ]
The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:063
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php
Date : April 2, 2006
Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A vulnerability was discovered where the html_entity_decode() function
would return a chunk of memory with length equal to the string
supplied, which could include php code, php ini data, other user data,
etc. Note that by default, Corporate 3.0 and Mandriva Linux LE2005
ship with magic_quotes_gpc on which seems to protect against this
vulnerability "out of the box" but users are encourages to upgrade
regardless.
Once the upgraded packages have been installed, users will need to
issue a "service httpd restart" in order for the fixed packages to be
properly loaded.
Updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490
_______________________________________________________________________
Updated Packages:
Mandriva Linux 10.2:
ef3fa2a2d14fb8be4f3febaf83bbffa9 10.2/RPMS/libphp_common432-4.3.10-7.8.102mdk.i586.rpm
4a883be9e264869febfdfc5cdf529a49 10.2/RPMS/php432-devel-4.3.10-7.8.102mdk.i586.rpm
2c1627712cca538956c5f851f616d5ce 10.2/RPMS/php-cgi-4.3.10-7.8.102mdk.i586.rpm
8c6727cf7e6eb10dabc18eab21bfb2e4 10.2/RPMS/php-cli-4.3.10-7.8.102mdk.i586.rpm
42d36049ac84a54b170d64fb1e4bdbfc 10.2/SRPMS/php-4.3.10-7.8.102mdk.src.rpm
Mandriva Linux 10.2/X86_64:
0bc53707143b53de67d92e09c3f681ce x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.8.102mdk.x86_64.rpm
aa2afe3688d5467753f3b65f977cdfe2 x86_64/10.2/RPMS/php432-devel-4.3.10-7.8.102mdk.x86_64.rpm
b69f7d7333fd59fc53f2c3cb775cb92d x86_64/10.2/RPMS/php-cgi-4.3.10-7.8.102mdk.x86_64.rpm
9efe4691fa443904d12e05628ec32d1f x86_64/10.2/RPMS/php-cli-4.3.10-7.8.102mdk.x86_64.rpm
42d36049ac84a54b170d64fb1e4bdbfc x86_64/10.2/SRPMS/php-4.3.10-7.8.102mdk.src.rpm
Mandriva Linux 2006.0:
2a7b4c48f38f0ca7ca1bfc6ee017e27b 2006.0/RPMS/libphp5_common5-5.0.4-9.4.20060mdk.i586.rpm
2b0fe0ae0adfcea994618097ccd8f43e 2006.0/RPMS/php-cgi-5.0.4-9.4.20060mdk.i586.rpm
6495845826ffc3963ea5fa7602413d99 2006.0/RPMS/php-cli-5.0.4-9.4.20060mdk.i586.rpm
67e7e6ac6ffd75ebb3cfb067e16a6e90 2006.0/RPMS/php-devel-5.0.4-9.4.20060mdk.i586.rpm
a07dfb39972947e39fc464895703e54f 2006.0/RPMS/php-fcgi-5.0.4-9.4.20060mdk.i586.rpm
c71f42f38e21d547bc3121df180a1f9d 2006.0/SRPMS/php-5.0.4-9.4.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
c8d248402a14d3395df39d8460b2d09e x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.4.20060mdk.x86_64.rpm
48903c848a6b6e95e602c9167f21140b x86_64/2006.0/RPMS/php-cgi-5.0.4-9.4.20060mdk.x86_64.rpm
cf2c3ef8f5dd6a399026777f225e61c2 x86_64/2006.0/RPMS/php-cli-5.0.4-9.4.20060mdk.x86_64.rpm
78f44b12e62d382cdde698eddb98de7d x86_64/2006.0/RPMS/php-devel-5.0.4-9.4.20060mdk.x86_64.rpm
e6f2546f0ad6786b235ff9d3a5037f18 x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.4.20060mdk.x86_64.rpm
c71f42f38e21d547bc3121df180a1f9d x86_64/2006.0/SRPMS/php-5.0.4-9.4.20060mdk.src.rpm
Corporate 3.0:
bfe7ada522d7d8c94d145d1345ea1cd2 corporate/3.0/RPMS/libphp_common432-4.3.4-4.12.C30mdk.i586.rpm
d6e143fb483b0b491712b1f19d89d343 corporate/3.0/RPMS/php432-devel-4.3.4-4.12.C30mdk.i586.rpm
bbc4009f6a6ae8c1c57dd19d4d835a76 corporate/3.0/RPMS/php-cgi-4.3.4-4.12.C30mdk.i586.rpm
30559d249370d48b6620f836857d4a03 corporate/3.0/RPMS/php-cli-4.3.4-4.12.C30mdk.i586.rpm
c2a531e21b0337d6e2e189922de96444 corporate/3.0/SRPMS/php-4.3.4-4.12.C30mdk.src.rpm
Corporate 3.0/X86_64:
775eb72e9367dfa3f58fbf58baecbbef x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.12.C30mdk.x86_64.rpm
acb65ffa3867a095ec685f3c8964dc79 x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.12.C30mdk.x86_64.rpm
7ab648313c53a521b42c5fbe861ebefe x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.12.C30mdk.x86_64.rpm
56821179db1b9e456894a58c816f3766 x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.12.C30mdk.x86_64.rpm
c2a531e21b0337d6e2e189922de96444 x86_64/corporate/3.0/SRPMS/php-4.3.4-4.12.C30mdk.src.rpm
Multi Network Firewall 2.0:
e58ffa871474e313deb349926b22cc7e mnf/2.0/RPMS/libphp_common432-4.3.4-4.12.M20mdk.i586.rpm
0f58a032dcdb3bc45b37b67f2ce3f6bc mnf/2.0/RPMS/php432-devel-4.3.4-4.12.M20mdk.i586.rpm
7dd0f603a0870b896c9396357dcd9efc mnf/2.0/RPMS/php-cgi-4.3.4-4.12.M20mdk.i586.rpm
a594814232b0dfa9bdbdf2db8d9089fd mnf/2.0/RPMS/php-cli-4.3.4-4.12.M20mdk.i586.rpm
650755a113c483af227369551a1431a3 mnf/2.0/SRPMS/php-4.3.4-4.12.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEMWM1mqjQ0CJFipgRAueUAJ9wzUsSQrpEOdnusK2HUN3TpYwmdACePctu
7lMMhVztNLjgpmDVI43IEnY=
=QXSN
-----END PGP SIGNATURE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDKSA-2006:063
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php
Date : April 2, 2006
Affected: 10.2, 2006.0, Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A vulnerability was discovered where the html_entity_decode() function
would return a chunk of memory with length equal to the string
supplied, which could include php code, php ini data, other user data,
etc. Note that by default, Corporate 3.0 and Mandriva Linux LE2005
ship with magic_quotes_gpc on which seems to protect against this
vulnerability "out of the box" but users are encourages to upgrade
regardless.
Once the upgraded packages have been installed, users will need to
issue a "service httpd restart" in order for the fixed packages to be
properly loaded.
Updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490
_______________________________________________________________________
Updated Packages:
Mandriva Linux 10.2:
ef3fa2a2d14fb8be4f3febaf83bbffa9 10.2/RPMS/libphp_common432-4.3.10-7.8.102mdk.i586.rpm
4a883be9e264869febfdfc5cdf529a49 10.2/RPMS/php432-devel-4.3.10-7.8.102mdk.i586.rpm
2c1627712cca538956c5f851f616d5ce 10.2/RPMS/php-cgi-4.3.10-7.8.102mdk.i586.rpm
8c6727cf7e6eb10dabc18eab21bfb2e4 10.2/RPMS/php-cli-4.3.10-7.8.102mdk.i586.rpm
42d36049ac84a54b170d64fb1e4bdbfc 10.2/SRPMS/php-4.3.10-7.8.102mdk.src.rpm
Mandriva Linux 10.2/X86_64:
0bc53707143b53de67d92e09c3f681ce x86_64/10.2/RPMS/lib64php_common432-4.3.10-7.8.102mdk.x86_64.rpm
aa2afe3688d5467753f3b65f977cdfe2 x86_64/10.2/RPMS/php432-devel-4.3.10-7.8.102mdk.x86_64.rpm
b69f7d7333fd59fc53f2c3cb775cb92d x86_64/10.2/RPMS/php-cgi-4.3.10-7.8.102mdk.x86_64.rpm
9efe4691fa443904d12e05628ec32d1f x86_64/10.2/RPMS/php-cli-4.3.10-7.8.102mdk.x86_64.rpm
42d36049ac84a54b170d64fb1e4bdbfc x86_64/10.2/SRPMS/php-4.3.10-7.8.102mdk.src.rpm
Mandriva Linux 2006.0:
2a7b4c48f38f0ca7ca1bfc6ee017e27b 2006.0/RPMS/libphp5_common5-5.0.4-9.4.20060mdk.i586.rpm
2b0fe0ae0adfcea994618097ccd8f43e 2006.0/RPMS/php-cgi-5.0.4-9.4.20060mdk.i586.rpm
6495845826ffc3963ea5fa7602413d99 2006.0/RPMS/php-cli-5.0.4-9.4.20060mdk.i586.rpm
67e7e6ac6ffd75ebb3cfb067e16a6e90 2006.0/RPMS/php-devel-5.0.4-9.4.20060mdk.i586.rpm
a07dfb39972947e39fc464895703e54f 2006.0/RPMS/php-fcgi-5.0.4-9.4.20060mdk.i586.rpm
c71f42f38e21d547bc3121df180a1f9d 2006.0/SRPMS/php-5.0.4-9.4.20060mdk.src.rpm
Mandriva Linux 2006.0/X86_64:
c8d248402a14d3395df39d8460b2d09e x86_64/2006.0/RPMS/lib64php5_common5-5.0.4-9.4.20060mdk.x86_64.rpm
48903c848a6b6e95e602c9167f21140b x86_64/2006.0/RPMS/php-cgi-5.0.4-9.4.20060mdk.x86_64.rpm
cf2c3ef8f5dd6a399026777f225e61c2 x86_64/2006.0/RPMS/php-cli-5.0.4-9.4.20060mdk.x86_64.rpm
78f44b12e62d382cdde698eddb98de7d x86_64/2006.0/RPMS/php-devel-5.0.4-9.4.20060mdk.x86_64.rpm
e6f2546f0ad6786b235ff9d3a5037f18 x86_64/2006.0/RPMS/php-fcgi-5.0.4-9.4.20060mdk.x86_64.rpm
c71f42f38e21d547bc3121df180a1f9d x86_64/2006.0/SRPMS/php-5.0.4-9.4.20060mdk.src.rpm
Corporate 3.0:
bfe7ada522d7d8c94d145d1345ea1cd2 corporate/3.0/RPMS/libphp_common432-4.3.4-4.12.C30mdk.i586.rpm
d6e143fb483b0b491712b1f19d89d343 corporate/3.0/RPMS/php432-devel-4.3.4-4.12.C30mdk.i586.rpm
bbc4009f6a6ae8c1c57dd19d4d835a76 corporate/3.0/RPMS/php-cgi-4.3.4-4.12.C30mdk.i586.rpm
30559d249370d48b6620f836857d4a03 corporate/3.0/RPMS/php-cli-4.3.4-4.12.C30mdk.i586.rpm
c2a531e21b0337d6e2e189922de96444 corporate/3.0/SRPMS/php-4.3.4-4.12.C30mdk.src.rpm
Corporate 3.0/X86_64:
775eb72e9367dfa3f58fbf58baecbbef x86_64/corporate/3.0/RPMS/lib64php_common432-4.3.4-4.12.C30mdk.x86_64.rpm
acb65ffa3867a095ec685f3c8964dc79 x86_64/corporate/3.0/RPMS/php432-devel-4.3.4-4.12.C30mdk.x86_64.rpm
7ab648313c53a521b42c5fbe861ebefe x86_64/corporate/3.0/RPMS/php-cgi-4.3.4-4.12.C30mdk.x86_64.rpm
56821179db1b9e456894a58c816f3766 x86_64/corporate/3.0/RPMS/php-cli-4.3.4-4.12.C30mdk.x86_64.rpm
c2a531e21b0337d6e2e189922de96444 x86_64/corporate/3.0/SRPMS/php-4.3.4-4.12.C30mdk.src.rpm
Multi Network Firewall 2.0:
e58ffa871474e313deb349926b22cc7e mnf/2.0/RPMS/libphp_common432-4.3.4-4.12.M20mdk.i586.rpm
0f58a032dcdb3bc45b37b67f2ce3f6bc mnf/2.0/RPMS/php432-devel-4.3.4-4.12.M20mdk.i586.rpm
7dd0f603a0870b896c9396357dcd9efc mnf/2.0/RPMS/php-cgi-4.3.4-4.12.M20mdk.i586.rpm
a594814232b0dfa9bdbdf2db8d9089fd mnf/2.0/RPMS/php-cli-4.3.4-4.12.M20mdk.i586.rpm
650755a113c483af227369551a1431a3 mnf/2.0/SRPMS/php-4.3.4-4.12.M20mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEMWM1mqjQ0CJFipgRAueUAJ9wzUsSQrpEOdnusK2HUN3TpYwmdACePctu
7lMMhVztNLjgpmDVI43IEnY=
=QXSN
-----END PGP SIGNATURE-----
