Re: [SECURITY] [DSA 2195-1] php5 security update
We should evaluate this.
MG.
On 19 March 2011 23:49, Raphael Geissert <geissert@debian.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2195-1 security@debian.org
> http://www.debian.org/security/ Raphael Geissert
> March 19, 2011 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : php5
> Vulnerability : several
> Problem type : local/remote
> Debian-specific: yes/no
> CVE ID : CVE-2011-0441 CVE-2010-3709 CVE-2010-3710 CVE-2010-3870
> CVE-2010-4150
>
> Stephane Chazelas discovered that the cronjob of the PHP 5 package in
> Debian suffers from a race condition which might be used to remove
> arbitrary files from a system (CVE-2011-0441).
>
> When upgrading your php5-common package take special care to _accept_
> the changes to the /etc/cron.d/php5 file. Ignoring them would leave the
> system vulnerable.
>
> For the oldstable distribution (lenny), this problem has been fixed in
> version 5.2.6.dfsg.1-1+lenny10.
>
> For the stable distribution (squeeze), this problem has been fixed in
> version 5.3.3-7+squeeze1.
>
> For the unstable distribution (sid), this problem has been fixed in
> version 5.3.6-1.
>
> Additionally, the following vulnerabilities have also been fixed in the
> oldstable distribution (lenny):
>
> CVE-2010-3709
>
> Maksymilian Arciemowicz discovered that the ZipArchive class
> may dereference a NULL pointer when extracting comments from a zip
> archive, leading to application crash and possible denial of
> service.
>
> CVE-2010-3710
>
> Stefan Neufeind discovered that the FILTER_VALIDATE_EMAIL filter
> does not correctly handle long, to be validated, strings. Such
> crafted strings may lead to denial of service because of high memory
> consumption and application crash.
>
> CVE-2010-3870
>
> It was discovered that PHP does not correctly handle certain UTF-8
> sequences and may be used to bypass XSS protections.
>
> CVE-2010-4150
>
> Mateusz Kocielski discovered that the imap extension may try to
> free already freed memory when processing user credentials, leading
> to application crash and possibly arbitrary code execution.
>
> We recommend that you upgrade your php5 packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iEYEARECAAYFAk2FQSEACgkQYy49rUbZzlqRlgCfXkCAKI9NMfxJKGG0wembelXl
> f2gAn1e3qpSbHJ/4BnRII0MZyRSJSZMD
> =pm92
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/201103191749.58950.geissert@debian.org
>
>
--
Martin Gleadow - Systems Manager
Technophobia Limited
The Workstation
15 Paternoster Row
SHEFFIELD
England
S1 2BX
t: +44 (0)114 221 2123
f: +44 (0)114 221 2124
e: martin.gleadow@technophobia.com
w: http://www.technophobia.com/
twitter.com/WeTechnophobia
Registered in England and Wales Company No. 3063669
VAT registration No. 598 7858 42
ISO 9001:2000 Accredited Company No. 21227
ISO 14001:2004 Accredited Company No. E997
ISO 27001:2005 (BS7799) Accredited Company No. IS 508906
Investor in People Certified No. 101507
The contents of this email are confidential to the addressee
and are intended solely for the recipients use. If you are not
the addressee, you have received this email in error.
Any disclosure, copying, distribution or action taken in
reliance on it is prohibited and may be unlawful.
Any opinions expressed in this email are those of the author
personally and not Technophobia Limited who do not accept
responsibility for the contents of the message.
All email communications, in and out of Technophobia,
are recorded for monitoring purposes.
Reply to: