[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [ MDVSA-2009:248 ] php



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:248
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : php
 Date    : September 25, 2009
 Affected: 2009.1
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities was discovered and corrected in php:
 
 The php_openssl_apply_verification_policy function in PHP before
 5.2.11 does not properly perform certificate validation, which has
 unknown impact and attack vectors, probably related to an ability to
 spoof certificates (CVE-2009-3291).
 
 Unspecified vulnerability in PHP before 5.2.11 has unknown impact
 and attack vectors related to missing sanity checks around exif
 processing. (CVE-2009-3292)
 
 Unspecified vulnerability in the imagecolortransparent function in
 PHP before 5.2.11 has unknown impact and attack vectors related to an
 incorrect sanity check for the color index. (CVE-2009-3293). However
 in Mandriva we don't use the bundled libgd source in php per default,
 there is a unsupported package in contrib named php-gd-bundled that
 eventually will get updated to pickup these fixes.
 
 This update provides a solution to these vulnerabilities.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3291
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3292
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3293
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.1:
 85e87867b1548801a6c2db93fc18fb9d  
2009.1/i586/libphp5_common5-5.2.9-6.2mdv2009.1.i586.rpm
 522dceebef8202cddd695f9962db1f18  
2009.1/i586/php-bcmath-5.2.9-6.2mdv2009.1.i586.rpm
 e4f245c0c1f296a7c3adac8daf7125d8  
2009.1/i586/php-bz2-5.2.9-6.2mdv2009.1.i586.rpm
 530e87e21a18e61a70d174213e51e3f1  
2009.1/i586/php-calendar-5.2.9-6.2mdv2009.1.i586.rpm
 d8075e6ce477d0c2c980696870b7d32c  
2009.1/i586/php-cgi-5.2.9-6.2mdv2009.1.i586.rpm
 17bdfb65700ac9515e89104afe26fc7c  
2009.1/i586/php-cli-5.2.9-6.2mdv2009.1.i586.rpm
 03719088b010f503a60a9b60d55d268d  
2009.1/i586/php-ctype-5.2.9-6.2mdv2009.1.i586.rpm
 4d16e8a053e2c619e9b66ca8ad00394c  
2009.1/i586/php-curl-5.2.9-6.2mdv2009.1.i586.rpm
 a229d229ec0c305532a9d522727ca817  
2009.1/i586/php-dba-5.2.9-6.2mdv2009.1.i586.rpm
 d3c14dbf23f93d6f3f348f116a26acb1  
2009.1/i586/php-dbase-5.2.9-6.2mdv2009.1.i586.rpm
 b449e0fbe5dca4baa1bffac5bcc85e07  
2009.1/i586/php-devel-5.2.9-6.2mdv2009.1.i586.rpm
 1dac1b2cc84dfbf9993f2aa26939ffb4  
2009.1/i586/php-dom-5.2.9-6.2mdv2009.1.i586.rpm
 1ef14250dc32846e0395a07f4829d52c  
2009.1/i586/php-exif-5.2.9-6.2mdv2009.1.i586.rpm
 d066223f07fdf6af0722848d82364348  
2009.1/i586/php-fcgi-5.2.9-6.2mdv2009.1.i586.rpm
 aa3d6954c1e78d2653a52ecf16e471ff  
2009.1/i586/php-filter-5.2.9-6.2mdv2009.1.i586.rpm
 35d3f28617e885a4e750bcd3a97ecba0  
2009.1/i586/php-ftp-5.2.9-6.2mdv2009.1.i586.rpm
 9174368e959c14b7a5addd08d4874017  
2009.1/i586/php-gd-5.2.9-6.2mdv2009.1.i586.rpm
 1af200e3d52ea023318a5495d541b1e4  
2009.1/i586/php-gettext-5.2.9-6.2mdv2009.1.i586.rpm
 8c491c96a8ece15d5d60aa5aa2ceab0c  
2009.1/i586/php-gmp-5.2.9-6.2mdv2009.1.i586.rpm
 ae5c5fcc780bdd07d88cfcd349d30e58  
2009.1/i586/php-hash-5.2.9-6.2mdv2009.1.i586.rpm
 2a517cb53a676165d3a4de358c0f148e  
2009.1/i586/php-iconv-5.2.9-6.2mdv2009.1.i586.rpm
 1a4c3ab931cd2df5a347170f36c338f7  
2009.1/i586/php-imap-5.2.9-6.2mdv2009.1.i586.rpm
 37aba4274ae00ded7e087bbb8605f221  
2009.1/i586/php-json-5.2.9-6.2mdv2009.1.i586.rpm
 c10f22cb6dcb0e5016c0535738132065  
2009.1/i586/php-ldap-5.2.9-6.2mdv2009.1.i586.rpm
 5ef7cd867bfd5b2c329a3e4723f84247  
2009.1/i586/php-mbstring-5.2.9-6.2mdv2009.1.i586.rpm
 3de9ad85e6bad9da2f028bb408e33da7  
2009.1/i586/php-mcrypt-5.2.9-6.2mdv2009.1.i586.rpm
 0fc60371b161403a58c02e4f964d4b83  
2009.1/i586/php-mhash-5.2.9-6.2mdv2009.1.i586.rpm
 5294173b4191fb03944840c8679967b0  
2009.1/i586/php-mime_magic-5.2.9-6.2mdv2009.1.i586.rpm
 9df85b613e24cbd38b74978e4e28301c  
2009.1/i586/php-ming-5.2.9-6.2mdv2009.1.i586.rpm
 f2113d23146f1a295579fe6fc012aa1f  
2009.1/i586/php-mssql-5.2.9-6.2mdv2009.1.i586.rpm
 3d8b142f6a4b5290623ef5b28395cd36  
2009.1/i586/php-mysql-5.2.9-6.2mdv2009.1.i586.rpm
 12e09193a2be5a3dfc960e9def73278f  
2009.1/i586/php-mysqli-5.2.9-6.2mdv2009.1.i586.rpm
 1551a51c721087d3b92260d9f585274b  
2009.1/i586/php-ncurses-5.2.9-6.2mdv2009.1.i586.rpm
 916f591a0a987ff98c92cde1cc961e5b  
2009.1/i586/php-odbc-5.2.9-6.2mdv2009.1.i586.rpm
 7cf7be81f66e25ac0695644785808bfc  
2009.1/i586/php-openssl-5.2.9-6.2mdv2009.1.i586.rpm
 f3ba03b40095cc1d08f1a1c725208e80  
2009.1/i586/php-pcntl-5.2.9-6.2mdv2009.1.i586.rpm
 9814280eb36dc952fa84195dee51fcb9  
2009.1/i586/php-pdo-5.2.9-6.2mdv2009.1.i586.rpm
 6eca042187056998cce3218d29b6fe64  
2009.1/i586/php-pdo_dblib-5.2.9-6.2mdv2009.1.i586.rpm
 1db4d26269a9a625e8dd7fce3fb6fac3  
2009.1/i586/php-pdo_mysql-5.2.9-6.2mdv2009.1.i586.rpm
 8fb1ec5235174c0f4f2aed4a059820d0  
2009.1/i586/php-pdo_odbc-5.2.9-6.2mdv2009.1.i586.rpm
 48cbbd29283af0a26ef08f0a8c43764f  
2009.1/i586/php-pdo_pgsql-5.2.9-6.2mdv2009.1.i586.rpm
 52057a39b6523cbdc8c345d55708a726  
2009.1/i586/php-pdo_sqlite-5.2.9-6.2mdv2009.1.i586.rpm
 182deb058e30c6231b5e1b6e9c716773  
2009.1/i586/php-pgsql-5.2.9-6.2mdv2009.1.i586.rpm
 77a01e22aabdcac128d332a49cdf22c2  
2009.1/i586/php-posix-5.2.9-6.2mdv2009.1.i586.rpm
 43a6792914cedc5784a8d632c85906c2  
2009.1/i586/php-pspell-5.2.9-6.2mdv2009.1.i586.rpm
 b45752be458fcdc318624aa8ec5b7282  
2009.1/i586/php-readline-5.2.9-6.2mdv2009.1.i586.rpm
 69765de70de2a84fe5924e68d176c083  
2009.1/i586/php-recode-5.2.9-6.2mdv2009.1.i586.rpm
 b1e80b8432ac9e51c80cdddbb26cd21a  
2009.1/i586/php-session-5.2.9-6.2mdv2009.1.i586.rpm
 8562d7ac3ef9ecafbcbedfc5aeb4d4d0  
2009.1/i586/php-shmop-5.2.9-6.2mdv2009.1.i586.rpm
 e1613016a170a96713fcf6da6682477a  
2009.1/i586/php-snmp-5.2.9-6.2mdv2009.1.i586.rpm
 2e0a5ce706ab444411fc63bfd3e9c8e6  
2009.1/i586/php-soap-5.2.9-6.2mdv2009.1.i586.rpm
 d625751f8c8e4abdf1d362142d76c787  
2009.1/i586/php-sockets-5.2.9-6.2mdv2009.1.i586.rpm
 36dbb23dee2862046ce74ad84b8dd0fe  
2009.1/i586/php-sqlite-5.2.9-6.2mdv2009.1.i586.rpm
 0a50e296bbcb03f1eae5e1842b719fcc  
2009.1/i586/php-sybase-5.2.9-6.2mdv2009.1.i586.rpm
 de1659a6aff4c99b63dc8c1164d2fe61  
2009.1/i586/php-sysvmsg-5.2.9-6.2mdv2009.1.i586.rpm
 2189b13becc4418b0c298ee139b4f8f2  
2009.1/i586/php-sysvsem-5.2.9-6.2mdv2009.1.i586.rpm
 eeeb083fd84b49c50fb6bfb402332dc1  
2009.1/i586/php-sysvshm-5.2.9-6.2mdv2009.1.i586.rpm
 99a1a6307e2e25ebd77932496a76efe8  
2009.1/i586/php-tidy-5.2.9-6.2mdv2009.1.i586.rpm
 5eb2422032a81fd035ed0a835e264fa2  
2009.1/i586/php-tokenizer-5.2.9-6.2mdv2009.1.i586.rpm
 0a372bc1e6df667a9d26c6218ad0a8c6  
2009.1/i586/php-wddx-5.2.9-6.2mdv2009.1.i586.rpm
 a0b1cd31b14ab59fd5be536a7e5701c9  
2009.1/i586/php-xml-5.2.9-6.2mdv2009.1.i586.rpm
 5046cfd407bfd096fa615ab44f8415a1  
2009.1/i586/php-xmlreader-5.2.9-6.2mdv2009.1.i586.rpm
 0b8fd99b5c6de57491d43e9e691b6dcb  
2009.1/i586/php-xmlrpc-5.2.9-6.2mdv2009.1.i586.rpm
 58bd68197b5d38eca13d24cad5a50e36  
2009.1/i586/php-xmlwriter-5.2.9-6.2mdv2009.1.i586.rpm
 c062198e507c9b17a27eed035ffe1eb5  
2009.1/i586/php-xsl-5.2.9-6.2mdv2009.1.i586.rpm
 4d5c7dc89e290ed2366d5bfd33584c56  
2009.1/i586/php-zip-5.2.9-6.2mdv2009.1.i586.rpm
 c7c66b802cc467f02b1b88bdc18b5aa5  
2009.1/i586/php-zlib-5.2.9-6.2mdv2009.1.i586.rpm 
 14ce077421185006aca3c756375f008b  2009.1/SRPMS/php-5.2.9-6.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 87161d3c159b4ef92ff2496ccac2df7a  
2009.1/x86_64/lib64php5_common5-5.2.9-6.2mdv2009.1.x86_64.rpm
 2cdc374b15af8866d1570ac45adc2d19  
2009.1/x86_64/php-bcmath-5.2.9-6.2mdv2009.1.x86_64.rpm
 aa3e358a57c536a98e08862d310b130d  
2009.1/x86_64/php-bz2-5.2.9-6.2mdv2009.1.x86_64.rpm
 089b7350d826be1e602c212997ca43aa  
2009.1/x86_64/php-calendar-5.2.9-6.2mdv2009.1.x86_64.rpm
 e05cfd39d2acaf7b0c747205afdbafd8  
2009.1/x86_64/php-cgi-5.2.9-6.2mdv2009.1.x86_64.rpm
 e52616165bae90bc50434645ae889ba2  
2009.1/x86_64/php-cli-5.2.9-6.2mdv2009.1.x86_64.rpm
 02f92d9ccbeed27c68f999a08ae1bb74  
2009.1/x86_64/php-ctype-5.2.9-6.2mdv2009.1.x86_64.rpm
 4a4f312fa9c8b47c85346fe43ee280fe  
2009.1/x86_64/php-curl-5.2.9-6.2mdv2009.1.x86_64.rpm
 d50ecf0df916ba2b005ed9aef6b7ee00  
2009.1/x86_64/php-dba-5.2.9-6.2mdv2009.1.x86_64.rpm
 8bb5fecba66fa1f45818841c2e3119c7  
2009.1/x86_64/php-dbase-5.2.9-6.2mdv2009.1.x86_64.rpm
 29e26f8dd9992765b9ab115695d53487  
2009.1/x86_64/php-devel-5.2.9-6.2mdv2009.1.x86_64.rpm
 2fbbef91b647b73ecb28a16e0b20c488  
2009.1/x86_64/php-dom-5.2.9-6.2mdv2009.1.x86_64.rpm
 963db6b3a197618b2909ff47c03ec93e  
2009.1/x86_64/php-exif-5.2.9-6.2mdv2009.1.x86_64.rpm
 46c2a26f74d9a0b05f31f435d2e52d12  
2009.1/x86_64/php-fcgi-5.2.9-6.2mdv2009.1.x86_64.rpm
 b7cd04b9c3cda09a22fce1bac23269b3  
2009.1/x86_64/php-filter-5.2.9-6.2mdv2009.1.x86_64.rpm
 080bffb0d573549dfedd92580ff9d52d  
2009.1/x86_64/php-ftp-5.2.9-6.2mdv2009.1.x86_64.rpm
 0911154fa6039a0afe2a9ed97641171c  
2009.1/x86_64/php-gd-5.2.9-6.2mdv2009.1.x86_64.rpm
 dd674b3c6e2a947efd3b7141950461a5  
2009.1/x86_64/php-gettext-5.2.9-6.2mdv2009.1.x86_64.rpm
 ed7f7469ea0a25d7ccf3c8cfb1f9e636  
2009.1/x86_64/php-gmp-5.2.9-6.2mdv2009.1.x86_64.rpm
 286eaef3b1cc89b4731d56d59ab981a7  
2009.1/x86_64/php-hash-5.2.9-6.2mdv2009.1.x86_64.rpm
 3b872a3a221f411ade41c99cb7d51fb8  
2009.1/x86_64/php-iconv-5.2.9-6.2mdv2009.1.x86_64.rpm
 0b256ee66d4cbe6c2b4c73c2595edc43  
2009.1/x86_64/php-imap-5.2.9-6.2mdv2009.1.x86_64.rpm
 32650ba3e635036500b581778352f584  
2009.1/x86_64/php-json-5.2.9-6.2mdv2009.1.x86_64.rpm
 147f7913e5aafa98babee853a95ac8de  
2009.1/x86_64/php-ldap-5.2.9-6.2mdv2009.1.x86_64.rpm
 a6ba9f430e1d6d99e082aefed08711da  
2009.1/x86_64/php-mbstring-5.2.9-6.2mdv2009.1.x86_64.rpm
 8b2b749896ab0468242362ab350a5865  
2009.1/x86_64/php-mcrypt-5.2.9-6.2mdv2009.1.x86_64.rpm
 01ce4ab0320c725e2081f2d79e5969a1  
2009.1/x86_64/php-mhash-5.2.9-6.2mdv2009.1.x86_64.rpm
 310b3bc146d06143f0f7d92d7816459d  
2009.1/x86_64/php-mime_magic-5.2.9-6.2mdv2009.1.x86_64.rpm
 a860f058befbed412bc8e1112c22eefd  
2009.1/x86_64/php-ming-5.2.9-6.2mdv2009.1.x86_64.rpm
 56e0cae3517d53962295eecbaab3119e  
2009.1/x86_64/php-mssql-5.2.9-6.2mdv2009.1.x86_64.rpm
 65be7a2aa882dbe0a416319c3fe6b1af  
2009.1/x86_64/php-mysql-5.2.9-6.2mdv2009.1.x86_64.rpm
 5f50ead57339280cfc8115483d1b9cb7  
2009.1/x86_64/php-mysqli-5.2.9-6.2mdv2009.1.x86_64.rpm
 2960093a83589892d2fce5dfb3d3498b  
2009.1/x86_64/php-ncurses-5.2.9-6.2mdv2009.1.x86_64.rpm
 2c933d73b441c02a43739f475cee4ea7  
2009.1/x86_64/php-odbc-5.2.9-6.2mdv2009.1.x86_64.rpm
 0eac641892d2cfbf871ea8aa1f2fd2e8  
2009.1/x86_64/php-openssl-5.2.9-6.2mdv2009.1.x86_64.rpm
 701c71a52ff7d776e42f8d1bdea592cd  
2009.1/x86_64/php-pcntl-5.2.9-6.2mdv2009.1.x86_64.rpm
 632035edb60e13778978ac51bb69c849  
2009.1/x86_64/php-pdo-5.2.9-6.2mdv2009.1.x86_64.rpm
 be87405c1568f2b3c6c53eea74c422e6  
2009.1/x86_64/php-pdo_dblib-5.2.9-6.2mdv2009.1.x86_64.rpm
 3daf4fd63832ccfbe876c998ab321d3b  
2009.1/x86_64/php-pdo_mysql-5.2.9-6.2mdv2009.1.x86_64.rpm
 54b7a7bec908451404f229103a9a5127  
2009.1/x86_64/php-pdo_odbc-5.2.9-6.2mdv2009.1.x86_64.rpm
 25ccde4246c6204dfaa769d54eff97a7  
2009.1/x86_64/php-pdo_pgsql-5.2.9-6.2mdv2009.1.x86_64.rpm
 44359c40034cc2f19faff6ae6ae9e121  
2009.1/x86_64/php-pdo_sqlite-5.2.9-6.2mdv2009.1.x86_64.rpm
 ed77502e3b459fa4ca802a3cdb30f308  
2009.1/x86_64/php-pgsql-5.2.9-6.2mdv2009.1.x86_64.rpm
 9fc636d9e9586bc7c21998fad4aee576  
2009.1/x86_64/php-posix-5.2.9-6.2mdv2009.1.x86_64.rpm
 7dbcddb6aed8923bd042e1335716e311  
2009.1/x86_64/php-pspell-5.2.9-6.2mdv2009.1.x86_64.rpm
 f5fcaac786dfd831d59ea8ad6fc28038  
2009.1/x86_64/php-readline-5.2.9-6.2mdv2009.1.x86_64.rpm
 77eac443f9815c6d0ef8e8fd568db4ee  
2009.1/x86_64/php-recode-5.2.9-6.2mdv2009.1.x86_64.rpm
 856bf3e9057af8bde882438ad1eee118  
2009.1/x86_64/php-session-5.2.9-6.2mdv2009.1.x86_64.rpm
 69cca73c0beddcb52e446d63a73d21e5  
2009.1/x86_64/php-shmop-5.2.9-6.2mdv2009.1.x86_64.rpm
 5d8581b3f8e53b8f52da2da0a73884cc  
2009.1/x86_64/php-snmp-5.2.9-6.2mdv2009.1.x86_64.rpm
 29ea7403270f17ec5bd30b9112205411  
2009.1/x86_64/php-soap-5.2.9-6.2mdv2009.1.x86_64.rpm
 e93c577279cb9cb056bba35e2b186bff  
2009.1/x86_64/php-sockets-5.2.9-6.2mdv2009.1.x86_64.rpm
 3bc830edc296be56698d4f13a3ff88e8  
2009.1/x86_64/php-sqlite-5.2.9-6.2mdv2009.1.x86_64.rpm
 e121a968ed9ef0973768b780f76f8d32  
2009.1/x86_64/php-sybase-5.2.9-6.2mdv2009.1.x86_64.rpm
 fb49c489aee9191893c0938ae9cb8e92  
2009.1/x86_64/php-sysvmsg-5.2.9-6.2mdv2009.1.x86_64.rpm
 e9aaeeed090a397dc7c003987429de0b  
2009.1/x86_64/php-sysvsem-5.2.9-6.2mdv2009.1.x86_64.rpm
 01f1e4c93d7e6382144f20bb59b2ef70  
2009.1/x86_64/php-sysvshm-5.2.9-6.2mdv2009.1.x86_64.rpm
 6267e5a98a49282341ea3dc179924d5e  
2009.1/x86_64/php-tidy-5.2.9-6.2mdv2009.1.x86_64.rpm
 92acb690eb21aa10409c84ff68eef490  
2009.1/x86_64/php-tokenizer-5.2.9-6.2mdv2009.1.x86_64.rpm
 4525cab46df252d7599cefa4627ab0c3  
2009.1/x86_64/php-wddx-5.2.9-6.2mdv2009.1.x86_64.rpm
 3ba5b1bec63ba7291223826530f33e7b  
2009.1/x86_64/php-xml-5.2.9-6.2mdv2009.1.x86_64.rpm
 22731636ce30cf7913ca761d46730159  
2009.1/x86_64/php-xmlreader-5.2.9-6.2mdv2009.1.x86_64.rpm
 d247b289eb6f6e88cfe17c2e7013a569  
2009.1/x86_64/php-xmlrpc-5.2.9-6.2mdv2009.1.x86_64.rpm
 0a00ebcb1987da46f68dc21dc007cad9  
2009.1/x86_64/php-xmlwriter-5.2.9-6.2mdv2009.1.x86_64.rpm
 fad982207327d8e636c6f691e842755b  
2009.1/x86_64/php-xsl-5.2.9-6.2mdv2009.1.x86_64.rpm
 bbda8f6739f36ba02e858840c5070a75  
2009.1/x86_64/php-zip-5.2.9-6.2mdv2009.1.x86_64.rpm
 d40567ee2da7a95b876bff21b748ca3e  
2009.1/x86_64/php-zlib-5.2.9-6.2mdv2009.1.x86_64.rpm 
 14ce077421185006aca3c756375f008b  2009.1/SRPMS/php-5.2.9-6.2mdv2009.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKvPNGmqjQ0CJFipgRAjbJAJ0SV+VlWt41Ne7Zk9zYP2gR9bLkOgCggoJr
FZ9YGT2ZplNudvKNgYo0c0k=
=eYIU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/