Gentoo Archives: gentoo-announce

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201110-06 ] PHP: Multiple vulnerabilities
Date: Mon, 10 Oct 2011 22:36:28
Message-Id: 4E936AF3.2090208@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201110-06
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: PHP: Multiple vulnerabilities
9 Date: October 10, 2011
10 Bugs: #306939, #332039, #340807, #350908, #355399, #358791,
11 #358975, #369071, #372745, #373965, #380261
12 ID: 201110-06
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities were found in PHP, the worst of which leading
20 to remote execution of arbitrary code.
21
22 Background
23 ==========
24
25 PHP is a widely-used general-purpose scripting language that is
26 especially suited for Web development and can be embedded into HTML.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-lang/php < 5.3.8 >= 5.3.8
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in PHP. Please review the
40 CVE identifiers referenced below for details.
41
42 Impact
43 ======
44
45 A context-dependent attacker could execute arbitrary code, obtain
46 sensitive information from process memory, bypass intended access
47 restrictions, or cause a Denial of Service in various ways.
48
49 A remote attacker could cause a Denial of Service in various ways,
50 bypass spam detections, or bypass open_basedir restrictions.
51
52 Workaround
53 ==========
54
55 There is no known workaround at this time.
56
57 Resolution
58 ==========
59
60 All PHP users should upgrade to the latest version:
61
62 # emerge --sync
63 # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.8"
64
65 References
66 ==========
67
68 [ 1 ] CVE-2006-7243
69 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7243
70 [ 2 ] CVE-2009-5016
71 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5016
72 [ 3 ] CVE-2010-1128
73 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1128
74 [ 4 ] CVE-2010-1129
75 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1129
76 [ 5 ] CVE-2010-1130
77 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1130
78 [ 6 ] CVE-2010-1860
79 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1860
80 [ 7 ] CVE-2010-1861
81 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1861
82 [ 8 ] CVE-2010-1862
83 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1862
84 [ 9 ] CVE-2010-1864
85 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1864
86 [ 10 ] CVE-2010-1866
87 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1866
88 [ 11 ] CVE-2010-1868
89 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1868
90 [ 12 ] CVE-2010-1914
91 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1914
92 [ 13 ] CVE-2010-1915
93 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1915
94 [ 14 ] CVE-2010-1917
95 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1917
96 [ 15 ] CVE-2010-2093
97 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2093
98 [ 16 ] CVE-2010-2094
99 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2094
100 [ 17 ] CVE-2010-2097
101 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2097
102 [ 18 ] CVE-2010-2100
103 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2100
104 [ 19 ] CVE-2010-2101
105 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2101
106 [ 20 ] CVE-2010-2190
107 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2190
108 [ 21 ] CVE-2010-2191
109 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2191
110 [ 22 ] CVE-2010-2225
111 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2225
112 [ 23 ] CVE-2010-2484
113 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2484
114 [ 24 ] CVE-2010-2531
115 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2531
116 [ 25 ] CVE-2010-2950
117 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2950
118 [ 26 ] CVE-2010-3062
119 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3062
120 [ 27 ] CVE-2010-3063
121 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3063
122 [ 28 ] CVE-2010-3064
123 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3064
124 [ 29 ] CVE-2010-3065
125 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3065
126 [ 30 ] CVE-2010-3436
127 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3436
128 [ 31 ] CVE-2010-3709
129 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3709
130 [ 32 ] CVE-2010-3709
131 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3709
132 [ 33 ] CVE-2010-3710
133 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3710
134 [ 34 ] CVE-2010-3710
135 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3710
136 [ 35 ] CVE-2010-3870
137 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3870
138 [ 36 ] CVE-2010-4150
139 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4150
140 [ 37 ] CVE-2010-4409
141 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4409
142 [ 38 ] CVE-2010-4645
143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4645
144 [ 39 ] CVE-2010-4697
145 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4697
146 [ 40 ] CVE-2010-4698
147 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4698
148 [ 41 ] CVE-2010-4699
149 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4699
150 [ 42 ] CVE-2010-4700
151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4700
152 [ 43 ] CVE-2011-0420
153 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0420
154 [ 44 ] CVE-2011-0421
155 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0421
156 [ 45 ] CVE-2011-0708
157 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0708
158 [ 46 ] CVE-2011-0752
159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0752
160 [ 47 ] CVE-2011-0753
161 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0753
162 [ 48 ] CVE-2011-0755
163 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0755
164 [ 49 ] CVE-2011-1092
165 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1092
166 [ 50 ] CVE-2011-1148
167 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1148
168 [ 51 ] CVE-2011-1153
169 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1153
170 [ 52 ] CVE-2011-1464
171 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1464
172 [ 53 ] CVE-2011-1466
173 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1466
174 [ 54 ] CVE-2011-1467
175 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1467
176 [ 55 ] CVE-2011-1468
177 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1468
178 [ 56 ] CVE-2011-1469
179 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1469
180 [ 57 ] CVE-2011-1470
181 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1470
182 [ 58 ] CVE-2011-1471
183 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1471
184 [ 59 ] CVE-2011-1657
185 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1657
186 [ 60 ] CVE-2011-1938
187 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1938
188 [ 61 ] CVE-2011-2202
189 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2202
190 [ 62 ] CVE-2011-2483
191 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483
192 [ 63 ] CVE-2011-3182
193 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3182
194 [ 64 ] CVE-2011-3189
195 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3189
196 [ 65 ] CVE-2011-3267
197 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3267
198 [ 66 ] CVE-2011-3268
199 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3268
200
201 Availability
202 ============
203
204 This GLSA and any updates to it are available for viewing at
205 the Gentoo Security Website:
206
207 http://security.gentoo.org/glsa/glsa-201110-06.xml
208
209 Concerns?
210 =========
211
212 Security is a primary focus of Gentoo Linux and ensuring the
213 confidentiality and security of our users' machines is of utmost
214 importance to us. Any security concerns should be addressed to
215 security@g.o or alternatively, you may file a bug at
216 https://bugs.gentoo.org.
217
218 License
219 =======
220
221 Copyright 2011 Gentoo Foundation, Inc; referenced text
222 belongs to its owner(s).
223
224 The contents of this document are licensed under the
225 Creative Commons - Attribution / Share Alike license.
226
227 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature