drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in php
Name: |
Mehrere Probleme in php |
|
ID: |
RHSA-2007:0154-01 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Enterprise Linux |
|
Datum: |
Mo, 16. April 2007, 17:44 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1711 |
|
Applikationen: |
PHP |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- --------------------------------------------------------------------- Red Hat Security Advisory
Synopsis: Important: php security update Advisory ID: RHSA-2007:0154-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0154.html Issue date: 2007-04-16 Updated on: 2007-04-16 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-1285 CVE-2007-1286 CVE-2007-1711 - ---------------------------------------------------------------------
1. Summary:
Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1.
This update has been rated as having important security impact by the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64 Red Hat Linux Advanced Workstation 2.1 - ia64 Red Hat Enterprise Linux ES version 2.1 - i386 Red Hat Enterprise Linux WS version 2.1 - i386
3. Problem description:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.
A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285)
A flaw was found in the way PHP's unserialize() function processes data. If a remote attacker is able to pass arbitrary data to PHP's unserialize() function, it may be possible for them to execute arbitrary code as the apache user. (CVE-2007-1286)
A double free flaw was found in PHP's session_decode() function. If a remote attacker is able to pass arbitrary data to PHP's session_decode() function, it may be possible for them to execute arbitrary code as the apache user. (CVE-2007-1711)
Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
4. Solution:
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
235225 - CVE-2007-1285 Multiple "Month of PHP Bugs" PHP issues (CVE-2007-1286, CVE-2007-1711)
6. RPMs required:
Red Hat Enterprise Linux AS (Advanced Server) version 2.1:
SRPMS: ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/php-4.1.2-2.17.src.rpm 9820e0982acdf72a0f8c9af02f4e5f6a php-4.1.2-2.17.src.rpm
i386: 856a5725715e6d970d7fe5fce209780c php-4.1.2-2.17.i386.rpm 98b74cc772436080d6f1b0b08e4a5690 php-devel-4.1.2-2.17.i386.rpm 403e01c242b079c3988c25c6406c3734 php-imap-4.1.2-2.17.i386.rpm e2cc407fd74569e37e95f27f0aa0c873 php-ldap-4.1.2-2.17.i386.rpm b6876b825654e6dd9cd5b400da47611c php-manual-4.1.2-2.17.i386.rpm 442f5cacbbf06f9a3b6e1d359c9acd55 php-mysql-4.1.2-2.17.i386.rpm 8ba4b70e2f358f4c35775b90b955e88e php-odbc-4.1.2-2.17.i386.rpm 03b45786fdaea33bcc179b2d375f9995 php-pgsql-4.1.2-2.17.i386.rpm
ia64: f03338d56473c9c2af996e5de897d843 php-4.1.2-2.17.ia64.rpm d3d03471a50878eb9330ca226ce47da9 php-devel-4.1.2-2.17.ia64.rpm efe489bd298c35685ba6127ebcb67575 php-imap-4.1.2-2.17.ia64.rpm a35e27188fb680cd0f192ea85065f7ae php-ldap-4.1.2-2.17.ia64.rpm 22aed8fc2144c5e23ffb65aeb792b8fa php-manual-4.1.2-2.17.ia64.rpm abc59cffe540ebdc24d968ae3bb716c7 php-mysql-4.1.2-2.17.ia64.rpm 58fefa66509e3babfecb58f2642116e8 php-odbc-4.1.2-2.17.ia64.rpm c603a39fcf3876c7e6123c6725e12b8e php-pgsql-4.1.2-2.17.ia64.rpm
Red Hat Linux Advanced Workstation 2.1:
SRPMS: ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/php-4.1.2-2.17.src.rpm 9820e0982acdf72a0f8c9af02f4e5f6a php-4.1.2-2.17.src.rpm
ia64: f03338d56473c9c2af996e5de897d843 php-4.1.2-2.17.ia64.rpm d3d03471a50878eb9330ca226ce47da9 php-devel-4.1.2-2.17.ia64.rpm efe489bd298c35685ba6127ebcb67575 php-imap-4.1.2-2.17.ia64.rpm a35e27188fb680cd0f192ea85065f7ae php-ldap-4.1.2-2.17.ia64.rpm 22aed8fc2144c5e23ffb65aeb792b8fa php-manual-4.1.2-2.17.ia64.rpm abc59cffe540ebdc24d968ae3bb716c7 php-mysql-4.1.2-2.17.ia64.rpm 58fefa66509e3babfecb58f2642116e8 php-odbc-4.1.2-2.17.ia64.rpm c603a39fcf3876c7e6123c6725e12b8e php-pgsql-4.1.2-2.17.ia64.rpm
Red Hat Enterprise Linux ES version 2.1:
SRPMS: ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/php-4.1.2-2.17.src.rpm 9820e0982acdf72a0f8c9af02f4e5f6a php-4.1.2-2.17.src.rpm
i386: 856a5725715e6d970d7fe5fce209780c php-4.1.2-2.17.i386.rpm 98b74cc772436080d6f1b0b08e4a5690 php-devel-4.1.2-2.17.i386.rpm 403e01c242b079c3988c25c6406c3734 php-imap-4.1.2-2.17.i386.rpm e2cc407fd74569e37e95f27f0aa0c873 php-ldap-4.1.2-2.17.i386.rpm b6876b825654e6dd9cd5b400da47611c php-manual-4.1.2-2.17.i386.rpm 442f5cacbbf06f9a3b6e1d359c9acd55 php-mysql-4.1.2-2.17.i386.rpm 8ba4b70e2f358f4c35775b90b955e88e php-odbc-4.1.2-2.17.i386.rpm 03b45786fdaea33bcc179b2d375f9995 php-pgsql-4.1.2-2.17.i386.rpm
Red Hat Enterprise Linux WS version 2.1:
SRPMS: ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/php-4.1.2-2.17.src.rpm 9820e0982acdf72a0f8c9af02f4e5f6a php-4.1.2-2.17.src.rpm
i386: 856a5725715e6d970d7fe5fce209780c php-4.1.2-2.17.i386.rpm 98b74cc772436080d6f1b0b08e4a5690 php-devel-4.1.2-2.17.i386.rpm 403e01c242b079c3988c25c6406c3734 php-imap-4.1.2-2.17.i386.rpm e2cc407fd74569e37e95f27f0aa0c873 php-ldap-4.1.2-2.17.i386.rpm b6876b825654e6dd9cd5b400da47611c php-manual-4.1.2-2.17.i386.rpm 442f5cacbbf06f9a3b6e1d359c9acd55 php-mysql-4.1.2-2.17.i386.rpm 8ba4b70e2f358f4c35775b90b955e88e php-odbc-4.1.2-2.17.i386.rpm 03b45786fdaea33bcc179b2d375f9995 php-pgsql-4.1.2-2.17.i386.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1711 http://www.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFGI5jIXlSAg2UNWIIRAuYeAJ9QYedhNN6gB8ATTTl+83bo9dMxcQCguMJx 6+m8SarhmI3qDidFoa6gqR8= =3mxQ -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|
|
|
|