[Technik] [SECURITY] [DSA 1264-1] New php4 packages fix several vulnerabilities

Noèl Köthe noel at debian.org
Wed Mar 14 21:02:08 CET 2007 

Am Mittwoch, den 07.03.2007, 23:04 +0100 schrieb Moritz Muehlenhoff:

> Debian Security Advisory DSA 1264-1                    security at debian.org
> http://www.debian.org/security/                         Moritz Muehlenhoff
> March 7th, 2007                         http://www.debian.org/security/faq
> 
> Package        : php4
> Vulnerability  : several
> Problem-Type   : remote
> Debian-specific: no
> CVE ID         : CVE-2007-0906 CVE-2007-0907 CVE-2006-0908 CVE-2007-0909 CVE-2007-0910 CVE-2007-0988

php4 auf h01, h02, h03 und cupa aktualisiert.

> For the stable distribution (sarge) these problems have been fixed in
> version 4:4.3.10-19.

changelog:
php4 (4:4.3.10-19) stable-security; urgency=high

  * NMU prepared for the security team by the package maintainer
  * The following security issues are addressed with this update:
    - CVE-2007-0906: Multiple buffer overflows in various code:
      * session (addressed in patch for CVE-2007-0910 below)
      * imap (CVE-2007-0906-imap.patch)
      * str_replace: (CVE-2007-0906-strreplace.patch)
      * the zip, sqlite, stream filters, mail, and interbase related
        vulnerabilities in this CVE do not affect the debian sarge php4
        source package.
    - CVE-2007-0907: Buffer underflow in sapi_header_op (CVE-2007-0907.patch)
    - CVE-2007-0908: wddx module information disclosure (CVE-2007-0908.patch)
    - CVE-2007-0909: More buffer overflows:
      * the odbc_result_all function (CVE-2007-0909-odbc.patch)
      * various formatted print functions (CVE-2007-0909-printf.patch)
    - CVE-2007-0910: Clobbering of super-global variables (CVE-2007-0910.patch)
    - CVE-2007-0988: DoS in unserialize on 64bit platforms (CVE-2007-0988.patch)
  * The package maintainers would like to thank Joe Orton from redhat and
    Martin Pitt from ubuntu for their help in the preparation of this update.

 -- sean finney <seanius at debian.org>  Tue, 27 Feb 2007 00:31:08 +0100

FYI: Diese und die zwei folgenden DSA hingen aufgrund der Größe einige
Zeit im Mailman fest.:(

-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /archiv/technik/attachments/20070314/f027aa4a/attachment.pgp

More information about the Technik mailing list