Debian DSA-2089-1 Critical: PHP5 Remote Exploit Security Advisory
debian
August 6, 2010
Several remote vulnerabilities have been discovered in PHP 5, an hypertext preprocessor
Topics Covered
Summary
Several remote vulnerabilities have been discovered in PHP 5, an hypertext
preprocessor. The Common Vulnerabilities and Exposures project
identifies the following problems:
CVE-2010-1917
The fnmatch function can be abused to conduct denial of service
attacks (by crashing the interpreter) by the means of a stack overflow.
CVE-2010-2225
The SplObjectStorage unserializer allows attackers to execute
arbitrary code via serialized data by the means of a use-after-free
vulnerability.
MOPS-60
The default sessions serializer does not correctly handle a special
marker, which allows an attacker to inject arbitrary variables into the
session and possibly exploit vulnerabilities in the unserializer.
For the vulnerability described by CVE-2010-1128 (predictable entropy
for the Linear Congruential Generator used to generate session ids,) we
do not consider upstream's solution to be sufficient. It is recommended
to uncomment the 'session.entropy_file' and 'session.entropy_length'
settings in the php...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: php5
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!