Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] [ GLSA 201209-03 ] PHP: Multiple vulnerabilities
Date: Mon, 24 Sep 2012 00:38:23
Message-Id: 505FA6C9.5050209@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201209-03
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: PHP: Multiple vulnerabilities
9 Date: September 24, 2012
10 Bugs: #384301, #396311, #396533, #399247, #399567, #399573,
11 #401997, #410957, #414553, #421489, #427354, #429630
12 ID: 201209-03
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities were found in PHP, the worst of which lead to
20 remote execution of arbitrary code.
21
22 Background
23 ==========
24
25 PHP is a widely-used general-purpose scripting language that is
26 especially suited for Web development and can be embedded into HTML.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-lang/php < 5.3.15 >= 5.3.15
35 < 5.4.5 >= 5.4.5
36 -------------------------------------------------------------------
37 # Package 1 only applies to users of these architectures:
38 arm
39
40 Description
41 ===========
42
43 Multiple vulnerabilities have been discovered in PHP. Please review the
44 CVE identifiers referenced below for details.
45
46 Impact
47 ======
48
49 A remote attacker could execute arbitrary code with the privileges of
50 the process, cause a Denial of Service condition, obtain sensitive
51 information, create arbitrary files, conduct directory traversal
52 attacks, bypass protection mechanisms, or perform further attacks with
53 unspecified impact.
54
55 Workaround
56 ==========
57
58 There is no known workaround at this time.
59
60 Resolution
61 ==========
62
63 All PHP users should upgrade to the latest version:
64
65 # emerge --sync
66 # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.15"
67
68 All PHP users on ARM should upgrade to the latest version:
69
70 # emerge --sync
71 # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.5"
72
73 References
74 ==========
75
76 [ 1 ] CVE-2011-1398
77 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1398
78 [ 2 ] CVE-2011-3379
79 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3379
80 [ 3 ] CVE-2011-4566
81 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4566
82 [ 4 ] CVE-2011-4885
83 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4885
84 [ 5 ] CVE-2012-0057
85 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0057
86 [ 6 ] CVE-2012-0788
87 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0788
88 [ 7 ] CVE-2012-0789
89 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0789
90 [ 8 ] CVE-2012-0830
91 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0830
92 [ 9 ] CVE-2012-0831
93 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0831
94 [ 10 ] CVE-2012-1172
95 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1172
96 [ 11 ] CVE-2012-1823
97 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1823
98 [ 12 ] CVE-2012-2143
99 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143
100 [ 13 ] CVE-2012-2311
101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2311
102 [ 14 ] CVE-2012-2335
103 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2335
104 [ 15 ] CVE-2012-2336
105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2336
106 [ 16 ] CVE-2012-2386
107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2386
108 [ 17 ] CVE-2012-2688
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2688
110 [ 18 ] CVE-2012-3365
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3365
112 [ 19 ] CVE-2012-3450
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3450
114
115 Availability
116 ============
117
118 This GLSA and any updates to it are available for viewing at
119 the Gentoo Security Website:
120
121 http://security.gentoo.org/glsa/glsa-201209-03.xml
122
123 Concerns?
124 =========
125
126 Security is a primary focus of Gentoo Linux and ensuring the
127 confidentiality and security of our users' machines is of utmost
128 importance to us. Any security concerns should be addressed to
129 security@g.o or alternatively, you may file a bug at
130 https://bugs.gentoo.org.
131
132 License
133 =======
134
135 Copyright 2012 Gentoo Foundation, Inc; referenced text
136 belongs to its owner(s).
137
138 The contents of this document are licensed under the
139 Creative Commons - Attribution / Share Alike license.
140
141 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature