U paketu php-pear (eng. PHP Extension and Application Repository), distribuiranom s operacijskim sustavom Fedora 15, otkriven je sigurnosni propust. PEAR je razvojno okruženje i distribucijski sustav za određene PHP komponente. Ranjivost je vezana uz instalacijsku datoteku paketa odnosno uz nedostatak provjera korištenih simboličkih poveznica u postupku instalacije ili nadogradnje. Zlonamjerni korisnik može stvoriti simboličku poveznicu koja će uzrokovati pisanje u memorijske lokacije na kojima se nalaze kritične sistemske datoteke. Preporučuje se nadogradnja paketa.
Fedora Update Notification
2011-03-01 06:41:13
Name : php-pear
Product : Fedora 15
Version : 1.9.2
Release : 1.fc15
URL : http://pear.php.net/package/PEAR
Summary : PHP Extension and Application Repository framework
Description :
PEAR is a framework and distribution system for reusable PHP
components. This package contains the basic PEAR components.
Update Information:
Upstream Changelog:
Important! This is a security fix release. The advisory can be found at
* Fixed Bug #17463: Regression: On Windows, svntag [patch by doconnor]
* Fixed Bug #17641: pecl-list doesn't sort packages by name [dufuz]
* Fixed Bug #17781: invalid argument warning on foreach due to an empty
optional dependencie [dufuz]
* Fixed Bug #17801: PEAR run-tests wrongly detects php-cgi [patch by David Jean
Louis (izi)]
* Fixed Bug #17839: pear svntag does not tag package.xml file [dufuz]
* Fixed Bug #17986: PEAR Installer cannot handle files moved between packages
* Fixed Bug #17997: Strange output if directories are not writeable [dufuz]
* Fixed Bug #18001: PEAR/RunTest coverage fails [dufuz]
* Fixed Bug #18056 [SECURITY]: Symlink attack in PEAR install [dufuz]
* Fixed Bug #18218: "pear package" does not allow the use of late static
binding [dufuz and Christer Edvartsen]
* Fixed Bug #18238: Wrong return code from "pear help" [till]
* Fixed Bug #18308: Broken error message about missing channel validator
This feature is implemented as a result of #18056
* Implemented Request #16648: Use TMPDIR for builds instead of /var/tmp
This update can be installed with the "yum" update program. Use
su -c 'yum update php-pear' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
Posljednje sigurnosne preporuke