Sicherheit: Denial of Service in PHP

Lesezeichen hinzufügen

This is a multi-part message in MIME format...

------------=_1397136459-7951-6

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2014:075
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : php
Date : April 10, 2014
Affected: Business Server 1.0
_______________________________________________________________________

Problem Description:

A vulnerability has been discovered and corrected in php:

The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards
with unlimited repetitions, which allows context-dependent attackers
to cause a denial of service (CPU consumption) via a crafted ASCII
file that triggers a large amount of backtracking, as demonstrated
via a file with many newline characters (CVE-2013-7345).

The updated php packages have been upgraded to the 5.5.11 version
which is not vulnerable to this issue.

Also, the timezonedb PHP PECL module has been updated to the latest
2014.2 version.

Additionally, the PECL packages which requires so has been rebuilt
for php-5.5.11.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7345
http://www.php.net/ChangeLog-5.php#5.5.11
https://bugs.php.net/bug.php?id=66946
http://pecl.php.net/package-info.php?package=timezonedb&version=2014.2
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
16ed2fc09e90bc53fb06ed816c0fa140
mbs1/x86_64/apache-mod_php-5.5.11-1.mbs1.x86_64.rpm
36102c1cf2dd9869991e297ad0de02d7
mbs1/x86_64/lib64php5_common5-5.5.11-1.mbs1.x86_64.rpm
939f614b9ff6253542f9951aa503df73
mbs1/x86_64/php-apc-3.1.15-1.5.mbs1.x86_64.rpm
4f12b8911a81d72c0d00af50dd8d764a
mbs1/x86_64/php-apc-admin-3.1.15-1.5.mbs1.x86_64.rpm
d643d3ba3067aa3ce7502b409b887283
mbs1/x86_64/php-bcmath-5.5.11-1.mbs1.x86_64.rpm
b65cfcc605007fb8fa524e958f4f7646 mbs1/x86_64/php-bz2-5.5.11-1.mbs1.x86_64.rpm
f6c8aa5157487d7cafc752bcde0ac390
mbs1/x86_64/php-calendar-5.5.11-1.mbs1.x86_64.rpm
86895019ad8f973e2d760557e5cd4986 mbs1/x86_64/php-cgi-5.5.11-1.mbs1.x86_64.rpm
92bf2522d78186cdfa57409c4b8aacdd mbs1/x86_64/php-cli-5.5.11-1.mbs1.x86_64.rpm
bb8389d66cec38bf60a5d9e8a83a5c89
mbs1/x86_64/php-ctype-5.5.11-1.mbs1.x86_64.rpm
91612ba52d438038fb2efc780e8fc918
mbs1/x86_64/php-curl-5.5.11-1.mbs1.x86_64.rpm
7d7add6de1cbfc494a958250a8f97e52 mbs1/x86_64/php-dba-5.5.11-1.mbs1.x86_64.rpm
641b990d90ce503aa4421ad30adc54b5
mbs1/x86_64/php-devel-5.5.11-1.mbs1.x86_64.rpm
b2ecf1be2db26609a6cd55235a7b8ccd mbs1/x86_64/php-doc-5.5.11-1.mbs1.noarch.rpm
a975c4eef72a1845ba97a949714e6762 mbs1/x86_64/php-dom-5.5.11-1.mbs1.x86_64.rpm
10f18783c79266ee5568094a28a2ba5a
mbs1/x86_64/php-enchant-5.5.11-1.mbs1.x86_64.rpm
0332e38cb7cec951b6981fcb999fd70e
mbs1/x86_64/php-exif-5.5.11-1.mbs1.x86_64.rpm
1b283db4e724dab5df823d167fb83d9a
mbs1/x86_64/php-fileinfo-5.5.11-1.mbs1.x86_64.rpm
14035bdf19fb27800279594087f1d02b
mbs1/x86_64/php-filter-5.5.11-1.mbs1.x86_64.rpm
13e40d627ca8a411fd5bf9660ce13a33 mbs1/x86_64/php-fpm-5.5.11-1.mbs1.x86_64.rpm
98178363d0318ce1c4e2ad9cde1e7761 mbs1/x86_64/php-ftp-5.5.11-1.mbs1.x86_64.rpm
85c5fc107153728574c3e1e7e7726ce8 mbs1/x86_64/php-gd-5.5.11-1.mbs1.x86_64.rpm
2fc95f9e20d873fbcc2fcee97b0c143c
mbs1/x86_64/php-gettext-5.5.11-1.mbs1.x86_64.rpm
8b92121cb100980154b6a48590b0b2c2 mbs1/x86_64/php-gmp-5.5.11-1.mbs1.x86_64.rpm
c340d4520fe9deca52b294dcb029d639
mbs1/x86_64/php-hash-5.5.11-1.mbs1.x86_64.rpm
b2a90062d1fefcf84bea47442b918afc
mbs1/x86_64/php-iconv-5.5.11-1.mbs1.x86_64.rpm
1d31d383ada26918566594bcf5c52ddd
mbs1/x86_64/php-imap-5.5.11-1.mbs1.x86_64.rpm
6f26ab38a5462345486d35e27feb5461 mbs1/x86_64/php-ini-5.5.11-1.mbs1.x86_64.rpm
fa6416fd0615364928175e9bd14ea79f
mbs1/x86_64/php-intl-5.5.11-1.mbs1.x86_64.rpm
fbbd41fb923f5cdcfd83138d84e29307
mbs1/x86_64/php-json-5.5.11-1.mbs1.x86_64.rpm
3200e7a1703d9951d77a8324ecac9789
mbs1/x86_64/php-ldap-5.5.11-1.mbs1.x86_64.rpm
7e771159e8c0037c56e847cb6364af5e
mbs1/x86_64/php-mbstring-5.5.11-1.mbs1.x86_64.rpm
ecfd924b6385be14f469e0bc73b63504
mbs1/x86_64/php-mcrypt-5.5.11-1.mbs1.x86_64.rpm
c254ebda44d66c09ddeafc466b2b9d2d
mbs1/x86_64/php-mssql-5.5.11-1.mbs1.x86_64.rpm
b62000cea2d5c1a9407661e0d6a89082
mbs1/x86_64/php-mysql-5.5.11-1.mbs1.x86_64.rpm
dc6fc6ac7403500826b32e39deb734de
mbs1/x86_64/php-mysqli-5.5.11-1.mbs1.x86_64.rpm
222a101e0a866ecb377a8e98240c626e
mbs1/x86_64/php-mysqlnd-5.5.11-1.mbs1.x86_64.rpm
a6855f7058d020e0826a944a5eb4701b
mbs1/x86_64/php-odbc-5.5.11-1.mbs1.x86_64.rpm
16ecefb5d132629203b3cae6e1ad0365
mbs1/x86_64/php-opcache-5.5.11-1.mbs1.x86_64.rpm
2e7843d9f5de5476d78631daf48f7b91
mbs1/x86_64/php-openssl-5.5.11-1.mbs1.x86_64.rpm
5e3bfc19b707bbcc0ec8a4b73b4bf5e0
mbs1/x86_64/php-pcntl-5.5.11-1.mbs1.x86_64.rpm
63c7e9dd81e251c0e33cd8125ceccc01 mbs1/x86_64/php-pdo-5.5.11-1.mbs1.x86_64.rpm
34eb4f845e55596dc306628b3305365a
mbs1/x86_64/php-pdo_dblib-5.5.11-1.mbs1.x86_64.rpm
45a5868c8fdc4c8686dc3a37b287f680
mbs1/x86_64/php-pdo_mysql-5.5.11-1.mbs1.x86_64.rpm
3aa84d78c33d3f0ade5cc336f4ddc54f
mbs1/x86_64/php-pdo_odbc-5.5.11-1.mbs1.x86_64.rpm
8105e546c9a5dcfbbc77a6539d958656
mbs1/x86_64/php-pdo_pgsql-5.5.11-1.mbs1.x86_64.rpm
0bf676b14fb71998bbd4ae736d44e427
mbs1/x86_64/php-pdo_sqlite-5.5.11-1.mbs1.x86_64.rpm
ec5fffcd317ef6dad72d5a8eb228a781
mbs1/x86_64/php-pgsql-5.5.11-1.mbs1.x86_64.rpm
8418411e94dba011bc9ae65abc451c9f
mbs1/x86_64/php-phar-5.5.11-1.mbs1.x86_64.rpm
ea9fe59ef772a6f5ae0c4cdc3d925df3
mbs1/x86_64/php-posix-5.5.11-1.mbs1.x86_64.rpm
4e87b9158cc327ec8584c5f1f18ea5bd
mbs1/x86_64/php-readline-5.5.11-1.mbs1.x86_64.rpm
bf67065b17dc90aec02101e1f6a1fe12
mbs1/x86_64/php-recode-5.5.11-1.mbs1.x86_64.rpm
b3d295b2cee95e6db981bf69cebdcf8d
mbs1/x86_64/php-session-5.5.11-1.mbs1.x86_64.rpm
e4ed6b201e8555c69ec79bb6fef7b737
mbs1/x86_64/php-shmop-5.5.11-1.mbs1.x86_64.rpm
2dc01d80b4bcc79268b817dec4f1ac7f
mbs1/x86_64/php-snmp-5.5.11-1.mbs1.x86_64.rpm
0c5d69ac26d2ecd66c344c0b07931adf
mbs1/x86_64/php-soap-5.5.11-1.mbs1.x86_64.rpm
9736bb0582d98950b8354e930cdc0057
mbs1/x86_64/php-sockets-5.5.11-1.mbs1.x86_64.rpm
1e654a8e206ac84e90c687070e260720
mbs1/x86_64/php-sqlite3-5.5.11-1.mbs1.x86_64.rpm
2e5d8704d2f502983fa688f5d92dd2a4
mbs1/x86_64/php-sybase_ct-5.5.11-1.mbs1.x86_64.rpm
1801cb584c4d2f141fd054fb255a4307
mbs1/x86_64/php-sysvmsg-5.5.11-1.mbs1.x86_64.rpm
01364f0dd27263317822171be37f1a7c
mbs1/x86_64/php-sysvsem-5.5.11-1.mbs1.x86_64.rpm
f27e00bf706fa407680c762cd8cf7788
mbs1/x86_64/php-sysvshm-5.5.11-1.mbs1.x86_64.rpm
4f3f79fa12958c1044a2514e04a23908
mbs1/x86_64/php-tidy-5.5.11-1.mbs1.x86_64.rpm
d0b34a1aefd946b4b4b6a7d59ecefc8f
mbs1/x86_64/php-timezonedb-2014.2-1.mbs1.x86_64.rpm
db588b5b423d27875a50b6a92197d33d
mbs1/x86_64/php-tokenizer-5.5.11-1.mbs1.x86_64.rpm
1a82dc5f4ddec40bbfd2b594d23e80d7
mbs1/x86_64/php-wddx-5.5.11-1.mbs1.x86_64.rpm
31eb0192e5b8c52f22e8a01622c87152 mbs1/x86_64/php-xml-5.5.11-1.mbs1.x86_64.rpm
aebf69513f62f408b3bf7f4e54b28824
mbs1/x86_64/php-xmlreader-5.5.11-1.mbs1.x86_64.rpm
baf3a06386cde133624e5d4352f853c2
mbs1/x86_64/php-xmlrpc-5.5.11-1.mbs1.x86_64.rpm
d11f54ca7a2903792c154f093d389309
mbs1/x86_64/php-xmlwriter-5.5.11-1.mbs1.x86_64.rpm
d066a70f2e583dd942cc8233f54a22b4 mbs1/x86_64/php-xsl-5.5.11-1.mbs1.x86_64.rpm
4f83d31b5c4c12224e71f18a6018c16e mbs1/x86_64/php-zip-5.5.11-1.mbs1.x86_64.rpm
96c42a96495277ae0a3b48a6f26c8f29
mbs1/x86_64/php-zlib-5.5.11-1.mbs1.x86_64.rpm
588931015052c626e59afe073a65e541 mbs1/SRPMS/php-5.5.11-1.mbs1.src.rpm
7f6426086bb10698b030fec57331e234 mbs1/SRPMS/php-apc-3.1.15-1.5.mbs1.src.rpm
966921bc3a9642e2056e79cd3db761c3
mbs1/SRPMS/php-timezonedb-2014.2-1.mbs1.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFTRnFtmqjQ0CJFipgRAl55AKC/6hbtpY8KcAFw/dVpytpAX2NTZACeKyJS
A5+PL+7Tbndun3dSFZDkzvk=
=X5lW
-----END PGP SIGNATURE-----

------------=_1397136459-7951-6
Content-Type: text/plain; charset="UTF-8";
name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://store.mandriva.com
_______________________________________________________

------------=_1397136459-7951-6--