Debian: DSA-2399-1: php5 security update

    Date31 Jan 2012
    CategoryDebian
    34
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities have been discovered in PHP, the web scripting language. The Common Vulnerabilities and Exposures project identifies the following issues:
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2399-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Thijs Kinkhorst
    January 31, 2012                       http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : php5
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2011-1938 CVE-2011-2483 CVE-2011-4566 CVE-2011-4885 
                     CVE-2012-0057 
    
    Several vulnerabilities have been discovered in PHP, the web scripting
    language. The Common Vulnerabilities and Exposures project identifies
    the following issues:
    
    CVE-2011-1938
    
      The UNIX socket handling allowed attackers to trigger a buffer overflow
      via a long path name.
    
    CVE-2011-2483
    
      The crypt_blowfish function did not properly handle 8-bit characters,
      which made it easier for attackers to determine a cleartext password
      by using knowledge of a password hash.
    
    CVE-2011-4566
    
      When used on 32 bit platforms, the exif extension could be used to
      trigger an integer overflow in the exif_process_IFD_TAG function
      when processing a JPEG file.
    
    CVE-2011-4885
    
      It was possible to trigger hash collisions predictably when parsing
      form parameters, which allows remote attackers to cause a denial of
      service by sending many crafted parameters.
    
    CVE-2012-0057
    
      When applying a crafted XSLT transform, an attacker could write files
      to arbitrary places in the filesystem.
    
    NOTE: the fix for CVE-2011-2483 required changing the behaviour of this
    function: it is now incompatible with some old (wrongly) generated hashes
    for passwords containing 8-bit characters. See the package NEWS entry
    for details. This change has not been applied to the Lenny version of PHP.
    
    
    For the oldstable distribution (lenny), these problems have been fixed
    in version 5.2.6.dfsg.1-1+lenny14.
    
    For the stable distribution (squeeze), these problems have been fixed
    in version 5.3.3-7+squeeze5.
    
    For the testing distribution (wheezy) and unstable distribution (sid),
    these problems have been fixed in version 5.3.9-1.
    
    We recommend that you upgrade your php5 packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.