[Technik] [SECURITY] [DSA 1282-1] New php4 packages fix several vulnerabilities

Noèl Köthe noel at debian.org
Mon Apr 30 09:40:05 CEST 2007 

Am Donnerstag, den 26.04.2007, 20:23 +0200 schrieb Moritz Muehlenhoff:

> Debian Security Advisory DSA 1282-1                    security at debian.org
> http://www.debian.org/security/                         Moritz Muehlenhoff
> April 26th, 2006                        http://www.debian.org/security/faq
> 
> Package        : php4
> Vulnerability  : several
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711 CVE-2007-1718 CVE-2007-1777

php4 auf h01, h02, h03, h04 und cupa aktualisiert.

> For the oldstable distribution (sarge) these problems have been fixed in
> version 4.3.10-20.

changelog:
php4 (4:4.3.10-20) oldstable-security; urgency=high

  * NMU prepared for the security team by the package maintainer.
  * The following security issues are addressed with this update:
    - CVE-2007-0910/MOPB-32 session_decode() Double Free Vulnerability
      * note that this is an update to the previous version of the upstream
        fix for CVE-2007-0910, which introduced a seperate exploit path.
    - CVE-2007-1286/MOPB-04 unserialize() ZVAL Reference Counter Overflow
    - CVE-2007-1380/MOPB-10 php_binary Session Deserialization Information Leak
    - CVE-2007-1521/MOPB-22 session_regenerate_id() Double Free Vulnerability
    - CVE-2007-1583/MOPB-26 mb_parse_str() register_globals Activation Vuln.
    - CVE-2007-1777/MOPB-35 zip_entry_read() Integer Overflow Vulnerability
  * The other security issues resulting from the "Month of PHP bugs" either
    did not affect the version of php4 shipped in sarge, or did not merit
    a security update according to the established security policy for php
    in debian.  You are encouraged to verify that your configuration is not
    affected by any of the other vulnerabilities by visiting:
        http://www.php-security.org/

 -- sean finney <seanius at debian.org>  Mon, 23 Apr 2007 18:19:17 +0200

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20070430/9a73c8c5/attachment.pgp

More information about the Technik mailing list