To: [email protected]Subject: [ MDVSA-2009:024 ] php4
Date: Wed, 21 Jan 2009 18:21:00 -0700
From: [email protected]
Reply-To: <xsecurity@mandriva.com.>
Message-Id: <E1LPoFg-0006rZ-BV@titan.mandriva.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:024
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php4
Date : January 21, 2009
Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A buffer overflow in the imageloadfont() function in PHP allowed
context-dependent attackers to cause a denial of service (crash)
and potentially execute arbitrary code via a crafted font file
(CVE-2008-3658).
A buffer overflow in the memnstr() function allowed context-dependent
attackers to cause a denial of service (crash) and potentially execute
arbitrary code via the delimiter argument to the explode() function
(CVE-2008-3659).
PHP, when used as a FastCGI module, allowed remote attackers to cause
a denial of service (crash) via a request with multiple dots preceding
the extension (CVE-2008-3660).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
_______________________________________________________________________
Updated Packages:
Corporate 3.0:
acf26c8efc90342d906e59c0444bd46a corporate/3.0/i586/libphp_common432-4.3.4-4.29.C30mdk.i586.rpm
f7cf98731681e6af45aca3dd2246c0f7 corporate/3.0/i586/php432-devel-4.3.4-4.29.C30mdk.i586.rpm
8f8d00fa42b95a28e77d600d081c95d9 corporate/3.0/i586/php-cgi-4.3.4-4.29.C30mdk.i586.rpm
d6b96c7cf8d6416ec3d8bb111c4440da corporate/3.0/i586/php-cli-4.3.4-4.29.C30mdk.i586.rpm
57b308993c4e4635f343d4ef0d36a6c2 corporate/3.0/SRPMS/php-4.3.4-4.29.C30mdk.src.rpm
Corporate 3.0/X86_64:
8164e4bfb1a7ffb5fd1bca2afcaef9ef corporate/3.0/x86_64/lib64php_common432-4.3.4-4.29.C30mdk.x86_64.rpm
625a98ec0ec42052ffbb9da5f8b9caca corporate/3.0/x86_64/php432-devel-4.3.4-4.29.C30mdk.x86_64.rpm
5b3143860009e7cf82f323e45f575324 corporate/3.0/x86_64/php-cgi-4.3.4-4.29.C30mdk.x86_64.rpm
48bff6270d231dffc8a5fbfbe0d1630e corporate/3.0/x86_64/php-cli-4.3.4-4.29.C30mdk.x86_64.rpm
57b308993c4e4635f343d4ef0d36a6c2 corporate/3.0/SRPMS/php-4.3.4-4.29.C30mdk.src.rpm
Corporate 4.0:
828884555043ebbf5af7d91d8a6401ad corporate/4.0/i586/libphp4_common4-4.4.4-1.9.20060mlcs4.i586.rpm
ac0b8ea0e61fdda9e8716fde02f25100 corporate/4.0/i586/php4-cgi-4.4.4-1.9.20060mlcs4.i586.rpm
19eddb6987778bee19f9978cc59cb54b corporate/4.0/i586/php4-cli-4.4.4-1.9.20060mlcs4.i586.rpm
4ea6bb54f1ea066cd6ee29d894d9a0fd corporate/4.0/i586/php4-devel-4.4.4-1.9.20060mlcs4.i586.rpm
dc2d58cb2ed98936ec15dc030689fb14 corporate/4.0/SRPMS/php4-4.4.4-1.9.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
60d3900495dd46161a6ba20fdbdfdd7d corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.9.20060mlcs4.x86_64.rpm
60e039c9d60030616e4f05c81ea29455 corporate/4.0/x86_64/php4-cgi-4.4.4-1.9.20060mlcs4.x86_64.rpm
f8e9e9faf82d8edbe2d9bf88572f2311 corporate/4.0/x86_64/php4-cli-4.4.4-1.9.20060mlcs4.x86_64.rpm
5561a9c77979daf567d1acffc73d4918 corporate/4.0/x86_64/php4-devel-4.4.4-1.9.20060mlcs4.x86_64.rpm
dc2d58cb2ed98936ec15dc030689fb14 corporate/4.0/SRPMS/php4-4.4.4-1.9.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
0183137a3353b21a77e147b745d21ec4 mnf/2.0/i586/libphp_common432-4.3.4-4.29.C30mdk.i586.rpm
1173011f1e24f85619f78966b1533e11 mnf/2.0/i586/php-cgi-4.3.4-4.29.C30mdk.i586.rpm
b726b9c13b620a12c5e8603c197d76c9 mnf/2.0/i586/php-cli-4.3.4-4.29.C30mdk.i586.rpm
87805cd270bffde644fee3ec29ecfd54 mnf/2.0/SRPMS/php-4.3.4-4.29.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJd55+mqjQ0CJFipgRAmtGAJ45ZVHxX/mQROiWu/W+EmPyT+UwFgCfRdDR
jaoTCVqDPgqPjX/k4OYu1Vk=
=fHY4
-----END PGP SIGNATURE-----