-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:246 http://www.mandriva.com/security/ _______________________________________________________________________ Package : php Date : September 25, 2009 Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities was discovered and corrected in php: The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293) This update provides a solution to these vulnerabilities. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3291 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3292 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3293 _______________________________________________________________________ Updated Packages: Corporate 3.0: 4a02595b5eea0b6875698b3171c6de18 corporate/3.0/i586/libphp_common432-4.3.4-4.30.C30mdk.i586.rpm 1d5d7040ec73f39c49be4cfb6424ccb1 corporate/3.0/i586/php432-devel-4.3.4-4.30.C30mdk.i586.rpm 223f27eb0ba733c0898589f2bd9f939d corporate/3.0/i586/php-cgi-4.3.4-4.30.C30mdk.i586.rpm f97c40bcbbff8baf4858b2021399f681 corporate/3.0/i586/php-cli-4.3.4-4.30.C30mdk.i586.rpm ce14b49faa8a0e0e1f30446a9fd697dd corporate/3.0/i586/php-dba_bundle-4.3.4-1.1.C30mdk.i586.rpm 6dba56cf1716e33d1c672806b83a5c56 corporate/3.0/i586/php-gd-4.3.4-1.8.C30mdk.i586.rpm 6729a16844799b099c84a2ba1396dd47 corporate/3.0/SRPMS/php-4.3.4-4.30.C30mdk.src.rpm 512d01dbfe8ef3037ec2045746342840 corporate/3.0/SRPMS/php-dba_bundle-4.3.4-1.1.C30mdk.src.rpm 2d58a96f81c208cad9b65189156f92e0 corporate/3.0/SRPMS/php-gd-4.3.4-1.8.C30mdk.src.rpm Corporate 3.0/X86_64: a655f05bb696767a5c696b2b1e19b2af corporate/3.0/x86_64/lib64php_common432-4.3.4-4.30.C30mdk.x86_64.rpm 3314420b910822f2f44f096d57ae26ad corporate/3.0/x86_64/php432-devel-4.3.4-4.30.C30mdk.x86_64.rpm 49183f06afa423ba77d25f22cd14e665 corporate/3.0/x86_64/php-cgi-4.3.4-4.30.C30mdk.x86_64.rpm 7dd4d4d1f55102dc65f9a307cc2a567e corporate/3.0/x86_64/php-cli-4.3.4-4.30.C30mdk.x86_64.rpm 1383e2f9be11322cc66888d426e626cb corporate/3.0/x86_64/php-dba_bundle-4.3.4-1.1.C30mdk.x86_64.rpm ee5a8f85e1746fd01fb98f8ae045bbff corporate/3.0/x86_64/php-gd-4.3.4-1.8.C30mdk.x86_64.rpm 6729a16844799b099c84a2ba1396dd47 corporate/3.0/SRPMS/php-4.3.4-4.30.C30mdk.src.rpm 512d01dbfe8ef3037ec2045746342840 corporate/3.0/SRPMS/php-dba_bundle-4.3.4-1.1.C30mdk.src.rpm 2d58a96f81c208cad9b65189156f92e0 corporate/3.0/SRPMS/php-gd-4.3.4-1.8.C30mdk.src.rpm Corporate 4.0: 45f2d838136d3294f4e7596a1408dffb corporate/4.0/i586/libphp4_common4-4.4.4-1.12.20060mlcs4.i586.rpm c463bf145de6bf1c1db9617a24c5990b corporate/4.0/i586/libphp5_common5-5.1.6-1.14.20060mlcs4.i586.rpm 914be4bcb8007085dce3aad3199886a8 corporate/4.0/i586/php4-cgi-4.4.4-1.12.20060mlcs4.i586.rpm a79f33c63c659b8e19e3b53a3082586f corporate/4.0/i586/php4-cli-4.4.4-1.12.20060mlcs4.i586.rpm 1e0b3de1715819c4edb48335e88ca651 corporate/4.0/i586/php4-dba_bundle-4.4.4-1.1.20060mlcs4.i586.rpm b6b729eafe1d4baa6112831a64a3b360 corporate/4.0/i586/php4-devel-4.4.4-1.12.20060mlcs4.i586.rpm 6b0b011b252fb1ceb8f441767d27f184 corporate/4.0/i586/php4-exif-4.4.4-1.2.20060mlcs4.i586.rpm 4b46d5f0527c24e44a9dbab9f5513a65 corporate/4.0/i586/php-cgi-5.1.6-1.14.20060mlcs4.i586.rpm 6984850d55cb492e6f0ee2d4f7655286 corporate/4.0/i586/php-cli-5.1.6-1.14.20060mlcs4.i586.rpm 683507d8d6498eb22acd4bf67c08f3e1 corporate/4.0/i586/php-dba-5.1.6-1.1.20060mlcs4.i586.rpm 0b9fe463ab494e9421f96d6124276fa6 corporate/4.0/i586/php-devel-5.1.6-1.14.20060mlcs4.i586.rpm 00ba586a8ac5786de8c2196ab85d8cec corporate/4.0/i586/php-exif-5.1.6-1.2.20060mlcs4.i586.rpm 5b0686519a27b7faa3ba549fbc6ddce4 corporate/4.0/i586/php-fcgi-5.1.6-1.14.20060mlcs4.i586.rpm 92c4a3461f37546cec2e0d203ee55c5f corporate/4.0/i586/php-gd-5.1.6-1.1.20060mlcs4.i586.rpm 000d8f8c7c014e06dc26aa0cb579c5d8 corporate/4.0/SRPMS/php4-4.4.4-1.12.20060mlcs4.src.rpm 26fb6c37afef6a5fcd5208bad2ebc553 corporate/4.0/SRPMS/php4-dba_bundle-4.4.4-1.1.20060mlcs4.src.rpm 1dd0142cab4710111ea4ba356632e4f4 corporate/4.0/SRPMS/php4-exif-4.4.4-1.2.20060mlcs4.src.rpm 800e3ef31cb6a98c3c7391b53c100d1a corporate/4.0/SRPMS/php-5.1.6-1.14.20060mlcs4.src.rpm 6e0180221caaa5f8fbaf72f269b0c1ff corporate/4.0/SRPMS/php-dba-5.1.6-1.1.20060mlcs4.src.rpm 3f84b5d0bd2e3ae9d8a6cc61ee842eba corporate/4.0/SRPMS/php-exif-5.1.6-1.2.20060mlcs4.src.rpm fbc401dc2fbf97e849568d42f3a0907d corporate/4.0/SRPMS/php-gd-5.1.6-1.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: f4673f56052dc7eba2ef99ec1a087b90 corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.12.20060mlcs4.x86_64.rpm a1d13abd89f308b9acd14d642fcdd4f2 corporate/4.0/x86_64/lib64php5_common5-5.1.6-1.14.20060mlcs4.x86_64.rpm 95d1663b8cb815525ae40f3a1ef60cae corporate/4.0/x86_64/php4-cgi-4.4.4-1.12.20060mlcs4.x86_64.rpm bd86092a42f161beaf8a29b8e5f7531e corporate/4.0/x86_64/php4-cli-4.4.4-1.12.20060mlcs4.x86_64.rpm 67bc38c3e38ef6541828706179a13f1e corporate/4.0/x86_64/php4-dba_bundle-4.4.4-1.1.20060mlcs4.x86_64.rpm f4d2a49b4abefbc5d517aae7630345f9 corporate/4.0/x86_64/php4-devel-4.4.4-1.12.20060mlcs4.x86_64.rpm 547ed3d3a4cee4dc66da158241316b80 corporate/4.0/x86_64/php4-exif-4.4.4-1.2.20060mlcs4.x86_64.rpm 391646867948bc40505a7346b3214e1b corporate/4.0/x86_64/php-cgi-5.1.6-1.14.20060mlcs4.x86_64.rpm a201cd45b38486f398081a1d16ac7d72 corporate/4.0/x86_64/php-cli-5.1.6-1.14.20060mlcs4.x86_64.rpm a67a0a8ba90e41f18fd36bc1f05e3311 corporate/4.0/x86_64/php-dba-5.1.6-1.1.20060mlcs4.x86_64.rpm a636fea041109d1d28c7323d4075179e corporate/4.0/x86_64/php-devel-5.1.6-1.14.20060mlcs4.x86_64.rpm c02a5dda722f0d6fa7144feb8ba1ce50 corporate/4.0/x86_64/php-exif-5.1.6-1.2.20060mlcs4.x86_64.rpm e50415f8780f27db1b68a10a6d372a6f corporate/4.0/x86_64/php-fcgi-5.1.6-1.14.20060mlcs4.x86_64.rpm 91fabbd879295321a4573cff179fec16 corporate/4.0/x86_64/php-gd-5.1.6-1.1.20060mlcs4.x86_64.rpm 000d8f8c7c014e06dc26aa0cb579c5d8 corporate/4.0/SRPMS/php4-4.4.4-1.12.20060mlcs4.src.rpm 26fb6c37afef6a5fcd5208bad2ebc553 corporate/4.0/SRPMS/php4-dba_bundle-4.4.4-1.1.20060mlcs4.src.rpm 1dd0142cab4710111ea4ba356632e4f4 corporate/4.0/SRPMS/php4-exif-4.4.4-1.2.20060mlcs4.src.rpm 800e3ef31cb6a98c3c7391b53c100d1a corporate/4.0/SRPMS/php-5.1.6-1.14.20060mlcs4.src.rpm 6e0180221caaa5f8fbaf72f269b0c1ff corporate/4.0/SRPMS/php-dba-5.1.6-1.1.20060mlcs4.src.rpm 3f84b5d0bd2e3ae9d8a6cc61ee842eba corporate/4.0/SRPMS/php-exif-5.1.6-1.2.20060mlcs4.src.rpm fbc401dc2fbf97e849568d42f3a0907d corporate/4.0/SRPMS/php-gd-5.1.6-1.1.20060mlcs4.src.rpm Multi Network Firewall 2.0: b4c61a34209cb2665757431b76c29618 mnf/2.0/i586/libphp_common432-4.3.4-4.30.C30mdk.i586.rpm 6a46ca28a0edfa8d4de397ea468c6b7e mnf/2.0/i586/php432-devel-4.3.4-4.30.C30mdk.i586.rpm aeedd733f5d44af49cf0fbd5260833c4 mnf/2.0/i586/php-cgi-4.3.4-4.30.C30mdk.i586.rpm 5fba6d630664beaaebf243da3fb4d287 mnf/2.0/i586/php-cli-4.3.4-4.30.C30mdk.i586.rpm d18c9980d35f042f8aaf663fe2e2942d mnf/2.0/i586/php-gd-4.3.4-1.8.C30mdk.i586.rpm 0dd3ff93902b0f993a5e767cc50e017b mnf/2.0/SRPMS/php-4.3.4-4.30.C30mdk.src.rpm a86659f66c2327f54c921ffccfc589cd mnf/2.0/SRPMS/php-gd-4.3.4-1.8.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKvOH8mqjQ0CJFipgRApIHAKDVI9Jw2rVhzWDAy60BrWFosZuCowCgpWhL xPcS4xN6XLqETihUeqBrkFo= =D0DO -----END PGP SIGNATURE-----
