Tri nedostatka programskog paketa php

Uočena su tri sigurnosna nedostatka inačice programskog paketa PHP, namijenjenog za operacijske sustave Fedora 13 i 14. Radi se o skriptnom programskom jeziku s podrškom za objektnu paradigmu. Propusti se odnose na propuste u radu dodataka opisanog jezika. Dodaci, a i sami propusti, su vezani uz upravljanje ZIP datotekama, metapodacima JPEG i TIFF slika te PHP arhivskim datotekama (phar). Napadači propuste većinom mogu iskoristiti za pokretanje napada uskraćivanja usluga, izvršavanje proizvoljnog koda te dohvaćanje osjetljivih informacija. Kao rješenje svih problema, savjetuje se nadogradnja na novu inačicu programskog jezika.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-3666
2011-03-19 09:58:31
--------------------------------------------------------------------------------

Name        : php
Product     : Fedora 13
Version     : 5.3.6
Release     : 1.fc13
URL         : http://www.php.net/
Summary     : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

The php package contains the module which adds support for the PHP
language to Apache HTTP Server.

--------------------------------------------------------------------------------
Update Information:

Security Enhancements and Fixes in PHP 5.3.6:
* Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
* Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
* Fixed bug #54055 (buffer overrun with high values for precision ini setting).
* Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
* Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive).
(CVE-2011-0421)

Full upstream changelog :
http://php.net/ChangeLog-5.php#5.3.6
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 16 2011 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.6-1
- update to 5.3.6
  http://www.php.net/ChangeLog-5.php#5.3.6
* Fri Jan  7 2011 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.5-1
- update to 5.3.5
  http://www.php.net/ChangeLog-5.php#5.3.5
- clean duplicate configure options
- remove all RPM_SOURCE_DIR
- use mysql_config in libdir directly to avoid biarch build failures
* Sun Dec 12 2010 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.4-1.1
- security patch from upstream for #660517
* Sat Dec 11 2010 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.4-1
- update to 5.3.4
  http://www.php.net/ChangeLog-5.php#5.3.4
- move phpize to php-cli (see #657812)
* Thu Jul 22 2010 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.3-1
- PHP 5.3.3 released
* Fri Apr 30 2010 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.2-3
- garbage collector upstream  patches (#580236)
* Fri Apr  2 2010 CaolÃ¥n McNamara <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.2-2
- rebuild for icu 4.4
* Sat Mar  6 2010 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.2-1
- PHP 5.3.2 Released!
- remove mime_magic option (now provided by fileinfo, by emu)
- add patch for http://bugs.php.net/50578
- remove patch for libedit (upstream)
- add runselftest option to allow build without test suite
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #688378 - CVE-2011-1153 php: several format string vulnerabilities
in PHP's Phar extension
        https://bugzilla.redhat.com/show_bug.cgi?id=688378
  [ 2 ] Bug #680972 - CVE-2011-0708 php: buffer over-read in Exif extension
        https://bugzilla.redhat.com/show_bug.cgi?id=680972
  [ 3 ] Bug #688735 - CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on
empty archive in zip_name_locate()
        https://bugzilla.redhat.com/show_bug.cgi?id=688735
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update php' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-3636
2011-03-19 09:57:19
--------------------------------------------------------------------------------

Name        : php
Product     : Fedora 14
Version     : 5.3.6
Release     : 1.fc14
URL         : http://www.php.net/
Summary     : PHP scripting language for creating dynamic web sites
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated web pages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts.

The php package contains the module which adds support for the PHP
language to Apache HTTP Server.

--------------------------------------------------------------------------------
Update Information:

Security Enhancements and Fixes in PHP 5.3.6:
* Fixed bug #54247 (format-string vulnerability on Phar). (CVE-2011-1153)
* Fixed bug #54193 (Integer overflow in shmop_read()). (CVE-2011-1092)
* Fixed bug #54055 (buffer overrun with high values for precision ini
setting).
* Fixed bug #54002 (crash on crafted tag in exif). (CVE-2011-0708)
* Fixed bug #53885 (ZipArchive segfault with FL_UNCHANGED on empty archive).
(CVE-2011-0421)

Full upstream changelog :
http://php.net/ChangeLog-5.php#5.3.6
--------------------------------------------------------------------------------
ChangeLog:

* Wed Mar 16 2011 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.6-1
- update to 5.3.6
  http://www.php.net/ChangeLog-5.php#5.3.6
* Fri Jan  7 2011 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.5-1
- update to 5.3.5
  http://www.php.net/ChangeLog-5.php#5.3.5
- clean duplicate configure options
- remove all RPM_SOURCE_DIR
- use mysql_config in libdir directly to avoid biarch build failures
* Sun Dec 12 2010 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.4-1.1
- security patch from upstream for #660517
* Sat Dec 11 2010 Remi Collet <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> 5.3.4-1
- update to 5.3.4
  http://www.php.net/ChangeLog-5.php#5.3.4
- move phpize to php-cli (see #657812)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #688378 - CVE-2011-1153 php: several format string vulnerabilities
in PHP's Phar extension
        https://bugzilla.redhat.com/show_bug.cgi?id=688378
  [ 2 ] Bug #680972 - CVE-2011-0708 php: buffer over-read in Exif extension
        https://bugzilla.redhat.com/show_bug.cgi?id=680972
  [ 3 ] Bug #688735 - CVE-2011-0421 php/libzip: segfault with FL_UNCHANGED on
empty archive in zip_name_locate()
        https://bugzilla.redhat.com/show_bug.cgi?id=688735
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update php' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Tri nedostatka programskog paketa php

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti
