drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in php
Name: |
Mehrere Probleme in php |
|
ID: |
RHSA-2007:0162-01 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Application Stack |
|
Datum: |
Mo, 16. April 2007, 13:54 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1718 |
|
Applikationen: |
PHP |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- --------------------------------------------------------------------- Red Hat Security Advisory
Synopsis: Moderate: php security update Advisory ID: RHSA-2007:0162-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0162.html Issue date: 2007-04-16 Updated on: 2007-04-16 Product: Red Hat Application Stack CVE Names: CVE-2007-0455 CVE-2007-1001 CVE-2007-1285 CVE-2007-1718 CVE-2007-1583 - ---------------------------------------------------------------------
1. Summary:
Updated PHP packages that fix several security issues are now available for Red Hat Application Stack v1.1.
This update has been rated as having important security impact by the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64 Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64
3. Problem description:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.
A denial of service flaw was found in the way PHP processed a deeply nested array. A remote attacker could cause the PHP interpreter to crash by submitting an input variable with a deeply nested array. (CVE-2007-1285)
A flaw was found in the way the mbstring extension set global variables. A script which used the mb_parse_str() function to set global variables could be forced to enable the register_globals configuration option, possibly resulting in global variable injection. (CVE-2007-1583)
A flaw was discovered in the way PHP's mail() function processed header data. If a script sent mail using a Subject header containing a string from an untrusted source, a remote attacker could send bulk e-mail to unintended recipients. (CVE-2007-1718)
A heap based buffer overflow flaw was discovered in PHP's gd extension. A script that could be forced to process WBMP images from an untrusted source could result in arbitrary code execution. (CVE-2007-1001)
A buffer over-read flaw was discovered in PHP's gd extension. A script that could be forced to write arbitrary strings using a JIS font from an untrusted source could cause the PHP interpreter to crash. (CVE-2007-0455)
Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
4. Solution:
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
235354 - CVE-2007-1285 Multiple PHP Vulnerabilities (CVE-2007-1583, CVE-2007-1718, CVE-2007-1001, CVE-2007-0455)
6. RPMs required:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4):
SRPMS: php-5.1.6-3.el4s1.6.src.rpm 7d2dad5706ad3043f2de3ee54a76337d php-5.1.6-3.el4s1.6.src.rpm
i386: 3bc1f82011bb83af79baf03c46cd97d3 php-5.1.6-3.el4s1.6.i386.rpm c92ee91ece1cc2e162c97cc730b6ef2f php-bcmath-5.1.6-3.el4s1.6.i386.rpm b8e223b04293bec7b59bef5959ca8d38 php-cli-5.1.6-3.el4s1.6.i386.rpm 7b09d67e7ea01af4adde2fff06c45984 php-common-5.1.6-3.el4s1.6.i386.rpm a2ee349fe353eab1eebd6311350860ed php-dba-5.1.6-3.el4s1.6.i386.rpm d227f876474d6657e3d944d63128d511 php-debuginfo-5.1.6-3.el4s1.6.i386.rpm 4238ee90b272b68be2793e3285086fda php-devel-5.1.6-3.el4s1.6.i386.rpm 1578b049f3ea33037ae1bb56b3cb6a39 php-gd-5.1.6-3.el4s1.6.i386.rpm 492c0b8f4680ce63b4fdb00006baba53 php-imap-5.1.6-3.el4s1.6.i386.rpm 3208a7dc04b82284ad2151ca37ab72c9 php-ldap-5.1.6-3.el4s1.6.i386.rpm 1c80c4ca194000cf3a0ae52ec65cee55 php-mbstring-5.1.6-3.el4s1.6.i386.rpm 87658b40797d36475f90098519b5fed4 php-mysql-5.1.6-3.el4s1.6.i386.rpm 6c114c68c9adc032cb701cd2e26717f6 php-ncurses-5.1.6-3.el4s1.6.i386.rpm 218d013a54c4204751512625d3253df8 php-odbc-5.1.6-3.el4s1.6.i386.rpm 87c26d339ad08e0549f27f99b79f0dd4 php-pdo-5.1.6-3.el4s1.6.i386.rpm d660b8e6d5a3cb6b309d39ef39844e88 php-pgsql-5.1.6-3.el4s1.6.i386.rpm 971f652d5e4afbd727b44888982d118e php-snmp-5.1.6-3.el4s1.6.i386.rpm 9a12c8e6a9fb06c5156f44e46113478c php-soap-5.1.6-3.el4s1.6.i386.rpm 49452a17684968cbbf5b1a3e83aeafae php-xml-5.1.6-3.el4s1.6.i386.rpm 1824a05dea1e6d30b94707aac471a1a7 php-xmlrpc-5.1.6-3.el4s1.6.i386.rpm
x86_64: 253066e45756f2c6cdc989c04afc70b1 php-5.1.6-3.el4s1.6.x86_64.rpm 860964f19acc4ce9925a710d7012550f php-bcmath-5.1.6-3.el4s1.6.x86_64.rpm 7282ce839126ebfe0552c54ff36a59f9 php-cli-5.1.6-3.el4s1.6.x86_64.rpm 6daa6b316c2d56bce470801e5bf7157b php-common-5.1.6-3.el4s1.6.x86_64.rpm 1a03721047f3b63f708627468eb874e6 php-dba-5.1.6-3.el4s1.6.x86_64.rpm 6bee1b5958ff6d7dd637f18e6a30cad9 php-debuginfo-5.1.6-3.el4s1.6.x86_64.rpm bd5b063d83a4dbc5157606dae09c2019 php-devel-5.1.6-3.el4s1.6.x86_64.rpm 47063dc55a9d2d65a71062ba2a26a833 php-gd-5.1.6-3.el4s1.6.x86_64.rpm c36277816e0da97fc8bc858a833f294d php-imap-5.1.6-3.el4s1.6.x86_64.rpm 095eb622d8f72f70f9048a333b78c793 php-ldap-5.1.6-3.el4s1.6.x86_64.rpm 9d3190e3ed9bbcbb92b67293d4f75ab0 php-mbstring-5.1.6-3.el4s1.6.x86_64.rpm efd0a92f9828fcf979c8f9442495dd21 php-mysql-5.1.6-3.el4s1.6.x86_64.rpm 0d6b4ad7ef760264478b1b4cb267447e php-ncurses-5.1.6-3.el4s1.6.x86_64.rpm 6ca36fc332e136f36e4fb7cd03b3a5c7 php-odbc-5.1.6-3.el4s1.6.x86_64.rpm cf656720e224b3897fa203cb80d91282 php-pdo-5.1.6-3.el4s1.6.x86_64.rpm 72e67935a588ddfed7abfb73f58d337a php-pgsql-5.1.6-3.el4s1.6.x86_64.rpm 20bea80ab4cd427f6fb44da4b08fb1a3 php-snmp-5.1.6-3.el4s1.6.x86_64.rpm a1ce135048dc04bc34bf590a96fe1393 php-soap-5.1.6-3.el4s1.6.x86_64.rpm e22816d5b064cdb97823a44a3c9aadb1 php-xml-5.1.6-3.el4s1.6.x86_64.rpm 59ce32d3f90a43ce6a14fd18316315c5 php-xmlrpc-5.1.6-3.el4s1.6.x86_64.rpm
Red Hat Application Stack v1 for Enterprise Linux ES (v.4):
SRPMS: php-5.1.6-3.el4s1.6.src.rpm 7d2dad5706ad3043f2de3ee54a76337d php-5.1.6-3.el4s1.6.src.rpm
i386: 3bc1f82011bb83af79baf03c46cd97d3 php-5.1.6-3.el4s1.6.i386.rpm c92ee91ece1cc2e162c97cc730b6ef2f php-bcmath-5.1.6-3.el4s1.6.i386.rpm b8e223b04293bec7b59bef5959ca8d38 php-cli-5.1.6-3.el4s1.6.i386.rpm 7b09d67e7ea01af4adde2fff06c45984 php-common-5.1.6-3.el4s1.6.i386.rpm a2ee349fe353eab1eebd6311350860ed php-dba-5.1.6-3.el4s1.6.i386.rpm d227f876474d6657e3d944d63128d511 php-debuginfo-5.1.6-3.el4s1.6.i386.rpm 4238ee90b272b68be2793e3285086fda php-devel-5.1.6-3.el4s1.6.i386.rpm 1578b049f3ea33037ae1bb56b3cb6a39 php-gd-5.1.6-3.el4s1.6.i386.rpm 492c0b8f4680ce63b4fdb00006baba53 php-imap-5.1.6-3.el4s1.6.i386.rpm 3208a7dc04b82284ad2151ca37ab72c9 php-ldap-5.1.6-3.el4s1.6.i386.rpm 1c80c4ca194000cf3a0ae52ec65cee55 php-mbstring-5.1.6-3.el4s1.6.i386.rpm 87658b40797d36475f90098519b5fed4 php-mysql-5.1.6-3.el4s1.6.i386.rpm 6c114c68c9adc032cb701cd2e26717f6 php-ncurses-5.1.6-3.el4s1.6.i386.rpm 218d013a54c4204751512625d3253df8 php-odbc-5.1.6-3.el4s1.6.i386.rpm 87c26d339ad08e0549f27f99b79f0dd4 php-pdo-5.1.6-3.el4s1.6.i386.rpm d660b8e6d5a3cb6b309d39ef39844e88 php-pgsql-5.1.6-3.el4s1.6.i386.rpm 971f652d5e4afbd727b44888982d118e php-snmp-5.1.6-3.el4s1.6.i386.rpm 9a12c8e6a9fb06c5156f44e46113478c php-soap-5.1.6-3.el4s1.6.i386.rpm 49452a17684968cbbf5b1a3e83aeafae php-xml-5.1.6-3.el4s1.6.i386.rpm 1824a05dea1e6d30b94707aac471a1a7 php-xmlrpc-5.1.6-3.el4s1.6.i386.rpm
x86_64: 253066e45756f2c6cdc989c04afc70b1 php-5.1.6-3.el4s1.6.x86_64.rpm 860964f19acc4ce9925a710d7012550f php-bcmath-5.1.6-3.el4s1.6.x86_64.rpm 7282ce839126ebfe0552c54ff36a59f9 php-cli-5.1.6-3.el4s1.6.x86_64.rpm 6daa6b316c2d56bce470801e5bf7157b php-common-5.1.6-3.el4s1.6.x86_64.rpm 1a03721047f3b63f708627468eb874e6 php-dba-5.1.6-3.el4s1.6.x86_64.rpm 6bee1b5958ff6d7dd637f18e6a30cad9 php-debuginfo-5.1.6-3.el4s1.6.x86_64.rpm bd5b063d83a4dbc5157606dae09c2019 php-devel-5.1.6-3.el4s1.6.x86_64.rpm 47063dc55a9d2d65a71062ba2a26a833 php-gd-5.1.6-3.el4s1.6.x86_64.rpm c36277816e0da97fc8bc858a833f294d php-imap-5.1.6-3.el4s1.6.x86_64.rpm 095eb622d8f72f70f9048a333b78c793 php-ldap-5.1.6-3.el4s1.6.x86_64.rpm 9d3190e3ed9bbcbb92b67293d4f75ab0 php-mbstring-5.1.6-3.el4s1.6.x86_64.rpm efd0a92f9828fcf979c8f9442495dd21 php-mysql-5.1.6-3.el4s1.6.x86_64.rpm 0d6b4ad7ef760264478b1b4cb267447e php-ncurses-5.1.6-3.el4s1.6.x86_64.rpm 6ca36fc332e136f36e4fb7cd03b3a5c7 php-odbc-5.1.6-3.el4s1.6.x86_64.rpm cf656720e224b3897fa203cb80d91282 php-pdo-5.1.6-3.el4s1.6.x86_64.rpm 72e67935a588ddfed7abfb73f58d337a php-pgsql-5.1.6-3.el4s1.6.x86_64.rpm 20bea80ab4cd427f6fb44da4b08fb1a3 php-snmp-5.1.6-3.el4s1.6.x86_64.rpm a1ce135048dc04bc34bf590a96fe1393 php-soap-5.1.6-3.el4s1.6.x86_64.rpm e22816d5b064cdb97823a44a3c9aadb1 php-xml-5.1.6-3.el4s1.6.x86_64.rpm 59ce32d3f90a43ce6a14fd18316315c5 php-xmlrpc-5.1.6-3.el4s1.6.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0455 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1001 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1583 http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFGI2OOXlSAg2UNWIIRAlRPAJwJAkb9HUXNTTLvoJiKp7Fg7+21YQCgl9Vr gYseL4OvE9iM2mytx32384g= =fual -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|
|
|
|