BugTraq
[ GLSA 201110-06 ] PHP: Multiple vulnerabilities Oct 10 2011 10:00PM
Tobias Heinlein (keytoaster gentoo org)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 201110-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Severity: High
Title: PHP: Multiple vulnerabilities
Date: October 10, 2011
Bugs: #306939, #332039, #340807, #350908, #355399, #358791,
#358975, #369071, #372745, #373965, #380261
ID: 201110-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in PHP, the worst of which leading
to remote execution of arbitrary code.

Background
==========

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.

Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/php < 5.3.8 >= 5.3.8

Description
===========

Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.

Impact
======

A context-dependent attacker could execute arbitrary code, obtain
sensitive information from process memory, bypass intended access
restrictions, or cause a Denial of Service in various ways.

A remote attacker could cause a Denial of Service in various ways,
bypass spam detections, or bypass open_basedir restrictions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PHP users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.8"

References
==========

[ 1 ] CVE-2006-7243
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-7243
[ 2 ] CVE-2009-5016
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-5016
[ 3 ] CVE-2010-1128
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1128
[ 4 ] CVE-2010-1129
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1129
[ 5 ] CVE-2010-1130
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1130
[ 6 ] CVE-2010-1860
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1860
[ 7 ] CVE-2010-1861
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1861
[ 8 ] CVE-2010-1862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1862
[ 9 ] CVE-2010-1864
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1864
[ 10 ] CVE-2010-1866
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1866
[ 11 ] CVE-2010-1868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1868
[ 12 ] CVE-2010-1914
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1914
[ 13 ] CVE-2010-1915
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1915
[ 14 ] CVE-2010-1917
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1917
[ 15 ] CVE-2010-2093
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2093
[ 16 ] CVE-2010-2094
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2094
[ 17 ] CVE-2010-2097
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2097
[ 18 ] CVE-2010-2100
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2100
[ 19 ] CVE-2010-2101
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2101
[ 20 ] CVE-2010-2190
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2190
[ 21 ] CVE-2010-2191
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2191
[ 22 ] CVE-2010-2225
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2225
[ 23 ] CVE-2010-2484
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2484
[ 24 ] CVE-2010-2531
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2531
[ 25 ] CVE-2010-2950
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2950
[ 26 ] CVE-2010-3062
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3062
[ 27 ] CVE-2010-3063
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3063
[ 28 ] CVE-2010-3064
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3064
[ 29 ] CVE-2010-3065
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3065
[ 30 ] CVE-2010-3436
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3436
[ 31 ] CVE-2010-3709
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3709
[ 32 ] CVE-2010-3709
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3709
[ 33 ] CVE-2010-3710
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3710
[ 34 ] CVE-2010-3710
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3710
[ 35 ] CVE-2010-3870
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3870
[ 36 ] CVE-2010-4150
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4150
[ 37 ] CVE-2010-4409
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4409
[ 38 ] CVE-2010-4645
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4645
[ 39 ] CVE-2010-4697
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4697
[ 40 ] CVE-2010-4698
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4698
[ 41 ] CVE-2010-4699
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4699
[ 42 ] CVE-2010-4700
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4700
[ 43 ] CVE-2011-0420
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0420
[ 44 ] CVE-2011-0421
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0421
[ 45 ] CVE-2011-0708
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0708
[ 46 ] CVE-2011-0752
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0752
[ 47 ] CVE-2011-0753
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0753
[ 48 ] CVE-2011-0755
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0755
[ 49 ] CVE-2011-1092
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1092
[ 50 ] CVE-2011-1148
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1148
[ 51 ] CVE-2011-1153
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1153
[ 52 ] CVE-2011-1464
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1464
[ 53 ] CVE-2011-1466
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1466
[ 54 ] CVE-2011-1467
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1467
[ 55 ] CVE-2011-1468
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1468
[ 56 ] CVE-2011-1469
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1469
[ 57 ] CVE-2011-1470
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1470
[ 58 ] CVE-2011-1471
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1471
[ 59 ] CVE-2011-1657
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1657
[ 60 ] CVE-2011-1938
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1938
[ 61 ] CVE-2011-2202
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2202
[ 62 ] CVE-2011-2483
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2483
[ 63 ] CVE-2011-3182
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3182
[ 64 ] CVE-2011-3189
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3189
[ 65 ] CVE-2011-3267
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3267
[ 66 ] CVE-2011-3268
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3268

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-201110-06.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security (at) gentoo (dot) org [email concealed] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License
=======

Copyright 2011 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCAAGBQJOk2r0AAoJEByNLmvcM7DuKycP/30oGbqAkYSFjYX2q3URKMO8
x3cDezdVySWfxitDY/keGnkcqcG+1Ok29q/c2PmCPEE4Sup4z4Yj1Y+aCkFH7yvv
PNGy4nz9d5aV8ZQCeLpGiSRkIaZgj66GtSjLdIhuMFetHwgqfudhSx3qTj9hg4Df
YWGVcidx/4V5fJX7QXZIPQ92pNDEVdx83KPDNc3o0XCdd9YbB0qmcMpe4mkKt5K8
4pv8/HIR+1ZW93TD6kVM60bnSt7fd+xHp3680ueoct9NJ+wPSWYGUvoKMLMtXwq/
X+zQAqMXHm7lzCyF90izCmrgRHlwRXK6l8XXlQNA4PDkunZp5hJIemuxo2Gjul12
XHb3epNfbb9WdD0fMbduBQXnxadHVSLQWLywdnPWl6gxsHURxvZa+0hhL/VPLttN
2nYIUpz3j9dpW6EClftuBmGf/E2VukT1Ep0rGdff0DqlJd2H4OQ+MuMO/mmnq9Oz
4D7d6YRstK+2HKvpVvSEERACZNp/KPkCqKgJC23vMgdnf74GlEtF1ybZ2McVAppG
ZQ2f7ZYA0TVuejskpbHPYU3Qm8yX1KAlUhyJBBeXHnBSeWXr29bNpIFu+Lnh6xBN
8b0129WoQR1M9OtOgIO7BMqS6ml0RNadOEY5YoT7zwudg16+7is8TStiwikDYAGj
h/kzjrbO+9K7Qqxm3aIV
=Jwwz
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus