php5 security update Marvin
Hallo Steffen,
Marvin kannst Du auch sofort machen. Ist ein Neustart notwendig?
Gruß
Hans
Am 31.01.2012 um 08:22 schrieb Thijs Kinkhorst:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2399-1 security@debian.org
> http://www.debian.org/security/ Thijs Kinkhorst
> January 31, 2012 http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
>
> Package : php5
> Vulnerability : several
> Problem type : remote
> Debian-specific: no
> CVE ID : CVE-2011-1938 CVE-2011-2483 CVE-2011-4566 CVE-2011-4885
> CVE-2012-0057
>
> Several vulnerabilities have been discovered in PHP, the web scripting
> language. The Common Vulnerabilities and Exposures project identifies
> the following issues:
>
> CVE-2011-1938
>
> The UNIX socket handling allowed attackers to trigger a buffer overflow
> via a long path name.
>
> CVE-2011-2483
>
> The crypt_blowfish function did not properly handle 8-bit characters,
> which made it easier for attackers to determine a cleartext password
> by using knowledge of a password hash.
>
> CVE-2011-4566
>
> When used on 32 bit platforms, the exif extension could be used to
> trigger an integer overflow in the exif_process_IFD_TAG function
> when processing a JPEG file.
>
> CVE-2011-4885
>
> It was possible to trigger hash collisions predictably when parsing
> form parameters, which allows remote attackers to cause a denial of
> service by sending many crafted parameters.
>
> CVE-2012-0057
>
> When applying a crafted XSLT transform, an attacker could write files
> to arbitrary places in the filesystem.
>
> NOTE: the fix for CVE-2011-2483 required changing the behaviour of this
> function: it is now incompatible with some old (wrongly) generated hashes
> for passwords containing 8-bit characters. See the package NEWS entry
> for details. This change has not been applied to the Lenny version of PHP.
>
>
> For the oldstable distribution (lenny), these problems have been fixed
> in version 5.2.6.dfsg.1-1+lenny14.
>
> For the stable distribution (squeeze), these problems have been fixed
> in version 5.3.3-7+squeeze5.
>
> For the testing distribution (wheezy) and unstable distribution (sid),
> these problems have been fixed in version 5.3.9-1.
>
> We recommend that you upgrade your php5 packages.
>
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
>
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
>
> iQEcBAEBAgAGBQJPJ5aaAAoJEOxfUAG2iX57USAIALlPmi/Hz3sAowgWqBfqGoYs
> ZajpYg/2yYQ5VEDAiRY20NDFct/9Qmdd3WlwkoHDMl51YrrtG6qf3WjosKNrnWch
> EkJJmdLBGFkTwDzFMLsyvizAJge+2XiEaNiFhsZxAZrDFk+KU2XJRdEBeHaSQnhn
> PdahnC8oUREb+n5FJv3h4jOL6cyPqu32Whk8SuaFPBjTd2VDUUHnk/x/Kqe1lFZq
> RgGsyjESnMo1320eDFTZVVxPR6HAGacYYTYQhddMs8twGqCiL/orm5dqy/rCBPlq
> ehyRICzGnGMDFtnydZC7X2wE0OHX5/gTABJrPfTI6DjsY2ncz/R7ohZAqQKHTSg=
> =vhFB
> -----END PGP SIGNATURE-----
>
>
> --
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20120131072258.B54B559990@kinkhorst.com
>
Internette Grüße
Hans Heidemann
Internet Projekt Management
--
Poststraße 5
32139 Spenge
www.interweber.de
info@interweber.de
Tel.: +49 5225 873 770 0
Fax: +49 5225 873 770 2
Mobil: +49 175 566 227 4
N 52°08.543, E 008°29.070
USt-IdNr.: DE197550147
---------------------------------------------------------------------------------------------------
Diese E-Mail ist vertraulich. Sie ist ausschließlich fuer den/die Empfänger
dieser E-Mail bestimmt. Hans-Georg Heidemann übernimmt keine Verantwortung
für Inhalte, Fehler oder ausgelassene Inhalteinnerhalb dieser E-Mail, die
Verwendung oder den Missbrauch jeglicher Art oder alles, was mit dieser
Nachricht beziehungsweise beigefügten Anhängen getan oder unterlassen wird.
Reply to: