php5 security update Marvin

To: debian-security@lists.debian.org
Subject: php5 security update Marvin
From: Hans-Georg Heidemann <hans.heidemann@interweber.de>
Date: Tue, 31 Jan 2012 13:03:59 +0100
Message-id: <53C9803C-3416-42D6-BE93-D611EFF7C008@interweber.de>
In-reply-to: <20120131072258.B54B559990@kinkhorst.com>
References: <20120131072258.B54B559990@kinkhorst.com>

Hallo Steffen,

Marvin kannst Du auch sofort machen. Ist ein Neustart notwendig?

Gruß

Hans


Am 31.01.2012 um 08:22 schrieb Thijs Kinkhorst:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> - -------------------------------------------------------------------------
> Debian Security Advisory DSA-2399-1                   security@debian.org
> http://www.debian.org/security/                           Thijs Kinkhorst
> January 31, 2012                       http://www.debian.org/security/faq
> - -------------------------------------------------------------------------
> 
> Package        : php5
> Vulnerability  : several
> Problem type   : remote
> Debian-specific: no
> CVE ID         : CVE-2011-1938 CVE-2011-2483 CVE-2011-4566 CVE-2011-4885 
>                 CVE-2012-0057 
> 
> Several vulnerabilities have been discovered in PHP, the web scripting
> language. The Common Vulnerabilities and Exposures project identifies
> the following issues:
> 
> CVE-2011-1938
> 
>  The UNIX socket handling allowed attackers to trigger a buffer overflow
>  via a long path name.
> 
> CVE-2011-2483
> 
>  The crypt_blowfish function did not properly handle 8-bit characters,
>  which made it easier for attackers to determine a cleartext password
>  by using knowledge of a password hash.
> 
> CVE-2011-4566
> 
>  When used on 32 bit platforms, the exif extension could be used to
>  trigger an integer overflow in the exif_process_IFD_TAG function
>  when processing a JPEG file.
> 
> CVE-2011-4885
> 
>  It was possible to trigger hash collisions predictably when parsing
>  form parameters, which allows remote attackers to cause a denial of
>  service by sending many crafted parameters.
> 
> CVE-2012-0057
> 
>  When applying a crafted XSLT transform, an attacker could write files
>  to arbitrary places in the filesystem.
> 
> NOTE: the fix for CVE-2011-2483 required changing the behaviour of this
> function: it is now incompatible with some old (wrongly) generated hashes
> for passwords containing 8-bit characters. See the package NEWS entry
> for details. This change has not been applied to the Lenny version of PHP.
> 
> 
> For the oldstable distribution (lenny), these problems have been fixed
> in version 5.2.6.dfsg.1-1+lenny14.
> 
> For the stable distribution (squeeze), these problems have been fixed
> in version 5.3.3-7+squeeze5.
> 
> For the testing distribution (wheezy) and unstable distribution (sid),
> these problems have been fixed in version 5.3.9-1.
> 
> We recommend that you upgrade your php5 packages.
> 
> Further information about Debian Security Advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: http://www.debian.org/security/
> 
> Mailing list: debian-security-announce@lists.debian.org
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> 
> iQEcBAEBAgAGBQJPJ5aaAAoJEOxfUAG2iX57USAIALlPmi/Hz3sAowgWqBfqGoYs
> ZajpYg/2yYQ5VEDAiRY20NDFct/9Qmdd3WlwkoHDMl51YrrtG6qf3WjosKNrnWch
> EkJJmdLBGFkTwDzFMLsyvizAJge+2XiEaNiFhsZxAZrDFk+KU2XJRdEBeHaSQnhn
> PdahnC8oUREb+n5FJv3h4jOL6cyPqu32Whk8SuaFPBjTd2VDUUHnk/x/Kqe1lFZq
> RgGsyjESnMo1320eDFTZVVxPR6HAGacYYTYQhddMs8twGqCiL/orm5dqy/rCBPlq
> ehyRICzGnGMDFtnydZC7X2wE0OHX5/gTABJrPfTI6DjsY2ncz/R7ohZAqQKHTSg=
> =vhFB
> -----END PGP SIGNATURE-----
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/20120131072258.B54B559990@kinkhorst.com
> 

  

Internette Grüße


Hans Heidemann
Internet Projekt Management

--
Poststraße 5              
32139 Spenge                                                                    

www.interweber.de         
info@interweber.de


Tel.: +49 5225 873 770 0
Fax: +49 5225 873 770 2
Mobil: +49 175 566 227 4

N 52°08.543, E 008°29.070                                          

USt-IdNr.: DE197550147



---------------------------------------------------------------------------------------------------
Diese E-Mail ist vertraulich. Sie ist ausschließlich fuer den/die Empfänger 
dieser E-Mail bestimmt. Hans-Georg Heidemann übernimmt keine Verantwortung 
für Inhalte, Fehler oder ausgelassene Inhalteinnerhalb dieser E-Mail, die 
Verwendung oder den Missbrauch jeglicher Art oder alles, was mit dieser 
Nachricht beziehungsweise beigefügten Anhängen getan oder unterlassen wird.

Reply to:

Prev by Date: Re: Bug#605090: Linux 3.2 in wheezy
Next by Date: Re: Bug#605090: Linux 3.2 in wheezy
Previous by thread: Re: Bug#605090: Linux 3.2 in wheezy
Next by thread: Re: [SECURITY] [DSA 2399-2] php5 regression fix
Index(es):
- Date
- Thread