drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in php
Name: |
Mehrere Probleme in php |
|
ID: |
RHSA-2007:0355-01 |
|
Distribution: |
Red Hat |
|
Plattformen: |
Red Hat Application Stack |
|
Datum: |
Do, 10. Mai 2007, 14:10 |
|
Referenzen: |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2509
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2510 |
|
Applikationen: |
PHP |
|
Originalnachricht |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
- --------------------------------------------------------------------- Red Hat Security Advisory
Synopsis: Important: php security update Advisory ID: RHSA-2007:0355-01 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0355.html Issue date: 2007-05-10 Updated on: 2007-05-10 Product: Red Hat Application Stack CVE Names: CVE-2007-1864 CVE-2007-2509 CVE-2007-2510 - ---------------------------------------------------------------------
1. Summary:
Updated PHP packages that fix several security issues are now available for Red Hat Application Stack.
This update has been rated as having important security impact by the Red Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64 Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64
3. Problem description:
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.
A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864)
A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509)
A buffer overflow flaw was found in the PHP 'soap' extension, regarding the handling of an HTTP redirect response when using the SOAP client provided by this extension with an untrusted SOAP server. No mechanism to trigger this flaw remotely is known. (CVE-2007-2510)
Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.
4. Solution:
Before applying this update, make sure that all previously-released errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188
5. Bug IDs fixed (http://bugzilla.redhat.com/):
239020 - CVE-2007-1864 various PHP security issues (CVE-2007-2509 CVE-2007-2510)
6. RPMs required:
Red Hat Application Stack v1 for Enterprise Linux AS (v.4):
SRPMS: php-5.1.6-3.el4s1.7.src.rpm cff9b05cdb9d99d8c3290475931ea9a7 php-5.1.6-3.el4s1.7.src.rpm
i386: 04367a352aa071fbed93cf3788f7fe6f php-5.1.6-3.el4s1.7.i386.rpm 0db0392959cd799affd85dbfceec269e php-bcmath-5.1.6-3.el4s1.7.i386.rpm a810a48a8a9ad5016f4f50c69a311099 php-cli-5.1.6-3.el4s1.7.i386.rpm fe8b49b9e79d710c133975e5056d069f php-common-5.1.6-3.el4s1.7.i386.rpm d71d3d49b1ea3991c3078c7a7799f6ee php-dba-5.1.6-3.el4s1.7.i386.rpm 854d7952e23fae74baa43175b316244e php-debuginfo-5.1.6-3.el4s1.7.i386.rpm 847357a3cdc3b2f71fdd6055dc8596e6 php-devel-5.1.6-3.el4s1.7.i386.rpm fca2d8725c370539ce45578b4c1b46ec php-gd-5.1.6-3.el4s1.7.i386.rpm 2b372a600032e9e5f15c85404c6f9bee php-imap-5.1.6-3.el4s1.7.i386.rpm 5273a2328242f8bffae5d688e4faa4f4 php-ldap-5.1.6-3.el4s1.7.i386.rpm 4fed146b78166396ba55249659e2e9a2 php-mbstring-5.1.6-3.el4s1.7.i386.rpm e8bda2b233e83b64ac65dd0ee1fbc38a php-mysql-5.1.6-3.el4s1.7.i386.rpm da4d850e7d8ab8a483a946fb840e63cd php-ncurses-5.1.6-3.el4s1.7.i386.rpm d027f436fe6b4a1ea992d740300ef0c1 php-odbc-5.1.6-3.el4s1.7.i386.rpm 966b8b90d0bdf8ea4a62b943255a768e php-pdo-5.1.6-3.el4s1.7.i386.rpm d05bfc8a816b6360f60b861dd935032c php-pgsql-5.1.6-3.el4s1.7.i386.rpm a68350514cfd237aec23ae80cc9e16f3 php-snmp-5.1.6-3.el4s1.7.i386.rpm bd771df1a22fcfacafda52f16f1644d0 php-soap-5.1.6-3.el4s1.7.i386.rpm 5dc95397755aa44c4ef051ec0b8dbc3c php-xml-5.1.6-3.el4s1.7.i386.rpm ea58cf29c6254f96ce30cfbcd9c549e6 php-xmlrpc-5.1.6-3.el4s1.7.i386.rpm
x86_64: 742ecefe4b335801ccc2042e8856ac85 php-5.1.6-3.el4s1.7.x86_64.rpm 2660a29ec897fd657793ed4e5e8b0273 php-bcmath-5.1.6-3.el4s1.7.x86_64.rpm f6da9c8cbb02cd031f98047459edcb30 php-cli-5.1.6-3.el4s1.7.x86_64.rpm 3e4add133b2839049c7c614e6d0493ef php-common-5.1.6-3.el4s1.7.x86_64.rpm 3f2de3cb8ee513219729e81e9b48aa63 php-dba-5.1.6-3.el4s1.7.x86_64.rpm af392615f54bca2b9fc6adb2809fe260 php-debuginfo-5.1.6-3.el4s1.7.x86_64.rpm f0ed56a0318d9ec1365b788998a233ba php-devel-5.1.6-3.el4s1.7.x86_64.rpm abc77c1b1784056d72e5ae89eb59fe90 php-gd-5.1.6-3.el4s1.7.x86_64.rpm 06ee2cc7ce2b08416a659eb2a867ce14 php-imap-5.1.6-3.el4s1.7.x86_64.rpm 2c25134eb525881e7a8a39b43a487047 php-ldap-5.1.6-3.el4s1.7.x86_64.rpm 65dd7cbdd1d1b334a68f4cf3d635141d php-mbstring-5.1.6-3.el4s1.7.x86_64.rpm 3fd0d1043e78812b94cac1f58702b962 php-mysql-5.1.6-3.el4s1.7.x86_64.rpm 053aa31c9b08961941d2caabf0ff60ae php-ncurses-5.1.6-3.el4s1.7.x86_64.rpm 375b85042b2230e2f31f0f2a2e7bb876 php-odbc-5.1.6-3.el4s1.7.x86_64.rpm 2742c76965610103dd8cc7e205ca6daf php-pdo-5.1.6-3.el4s1.7.x86_64.rpm 840782025f561ca1f19e52f97d4b0421 php-pgsql-5.1.6-3.el4s1.7.x86_64.rpm 6488e3f6f576291406db6354088b66e7 php-snmp-5.1.6-3.el4s1.7.x86_64.rpm 8b890ca36a773e03a1df121315bd9a82 php-soap-5.1.6-3.el4s1.7.x86_64.rpm 4594ad24bf279518288538dafb76b4c9 php-xml-5.1.6-3.el4s1.7.x86_64.rpm db7b188cfc13891a2cf58250b4c118a8 php-xmlrpc-5.1.6-3.el4s1.7.x86_64.rpm
Red Hat Application Stack v1 for Enterprise Linux ES (v.4):
SRPMS: php-5.1.6-3.el4s1.7.src.rpm cff9b05cdb9d99d8c3290475931ea9a7 php-5.1.6-3.el4s1.7.src.rpm
i386: 04367a352aa071fbed93cf3788f7fe6f php-5.1.6-3.el4s1.7.i386.rpm 0db0392959cd799affd85dbfceec269e php-bcmath-5.1.6-3.el4s1.7.i386.rpm a810a48a8a9ad5016f4f50c69a311099 php-cli-5.1.6-3.el4s1.7.i386.rpm fe8b49b9e79d710c133975e5056d069f php-common-5.1.6-3.el4s1.7.i386.rpm d71d3d49b1ea3991c3078c7a7799f6ee php-dba-5.1.6-3.el4s1.7.i386.rpm 854d7952e23fae74baa43175b316244e php-debuginfo-5.1.6-3.el4s1.7.i386.rpm 847357a3cdc3b2f71fdd6055dc8596e6 php-devel-5.1.6-3.el4s1.7.i386.rpm fca2d8725c370539ce45578b4c1b46ec php-gd-5.1.6-3.el4s1.7.i386.rpm 2b372a600032e9e5f15c85404c6f9bee php-imap-5.1.6-3.el4s1.7.i386.rpm 5273a2328242f8bffae5d688e4faa4f4 php-ldap-5.1.6-3.el4s1.7.i386.rpm 4fed146b78166396ba55249659e2e9a2 php-mbstring-5.1.6-3.el4s1.7.i386.rpm e8bda2b233e83b64ac65dd0ee1fbc38a php-mysql-5.1.6-3.el4s1.7.i386.rpm da4d850e7d8ab8a483a946fb840e63cd php-ncurses-5.1.6-3.el4s1.7.i386.rpm d027f436fe6b4a1ea992d740300ef0c1 php-odbc-5.1.6-3.el4s1.7.i386.rpm 966b8b90d0bdf8ea4a62b943255a768e php-pdo-5.1.6-3.el4s1.7.i386.rpm d05bfc8a816b6360f60b861dd935032c php-pgsql-5.1.6-3.el4s1.7.i386.rpm a68350514cfd237aec23ae80cc9e16f3 php-snmp-5.1.6-3.el4s1.7.i386.rpm bd771df1a22fcfacafda52f16f1644d0 php-soap-5.1.6-3.el4s1.7.i386.rpm 5dc95397755aa44c4ef051ec0b8dbc3c php-xml-5.1.6-3.el4s1.7.i386.rpm ea58cf29c6254f96ce30cfbcd9c549e6 php-xmlrpc-5.1.6-3.el4s1.7.i386.rpm
x86_64: 742ecefe4b335801ccc2042e8856ac85 php-5.1.6-3.el4s1.7.x86_64.rpm 2660a29ec897fd657793ed4e5e8b0273 php-bcmath-5.1.6-3.el4s1.7.x86_64.rpm f6da9c8cbb02cd031f98047459edcb30 php-cli-5.1.6-3.el4s1.7.x86_64.rpm 3e4add133b2839049c7c614e6d0493ef php-common-5.1.6-3.el4s1.7.x86_64.rpm 3f2de3cb8ee513219729e81e9b48aa63 php-dba-5.1.6-3.el4s1.7.x86_64.rpm af392615f54bca2b9fc6adb2809fe260 php-debuginfo-5.1.6-3.el4s1.7.x86_64.rpm f0ed56a0318d9ec1365b788998a233ba php-devel-5.1.6-3.el4s1.7.x86_64.rpm abc77c1b1784056d72e5ae89eb59fe90 php-gd-5.1.6-3.el4s1.7.x86_64.rpm 06ee2cc7ce2b08416a659eb2a867ce14 php-imap-5.1.6-3.el4s1.7.x86_64.rpm 2c25134eb525881e7a8a39b43a487047 php-ldap-5.1.6-3.el4s1.7.x86_64.rpm 65dd7cbdd1d1b334a68f4cf3d635141d php-mbstring-5.1.6-3.el4s1.7.x86_64.rpm 3fd0d1043e78812b94cac1f58702b962 php-mysql-5.1.6-3.el4s1.7.x86_64.rpm 053aa31c9b08961941d2caabf0ff60ae php-ncurses-5.1.6-3.el4s1.7.x86_64.rpm 375b85042b2230e2f31f0f2a2e7bb876 php-odbc-5.1.6-3.el4s1.7.x86_64.rpm 2742c76965610103dd8cc7e205ca6daf php-pdo-5.1.6-3.el4s1.7.x86_64.rpm 840782025f561ca1f19e52f97d4b0421 php-pgsql-5.1.6-3.el4s1.7.x86_64.rpm 6488e3f6f576291406db6354088b66e7 php-snmp-5.1.6-3.el4s1.7.x86_64.rpm 8b890ca36a773e03a1df121315bd9a82 php-soap-5.1.6-3.el4s1.7.x86_64.rpm 4594ad24bf279518288538dafb76b4c9 php-xml-5.1.6-3.el4s1.7.x86_64.rpm db7b188cfc13891a2cf58250b4c118a8 php-xmlrpc-5.1.6-3.el4s1.7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2510 http://www.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/
Copyright 2007 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFGQwtzXlSAg2UNWIIRAiQPAJsEdJKGqwGnkQQ7FCcopHAi5X2e/wCgxQJa MvIDP4b2tMn+IrUKPYJOraw= =ZD6B -----END PGP SIGNATURE-----
-- Enterprise-watch-list mailing list Enterprise-watch-list@redhat.com https://www.redhat.com/mailman/listinfo/enterprise-watch-list
|
|
|
|