Mailinglist Archive: opensuse-bugs (7309 mails)
| < Previous | Next > |
[Bug 487627] New: PHP out of date
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Sun, 22 Mar 2009 15:57:42 -0600 (MDT)
- Message-id: <bug-487627-21960@xxxxxxxxxxxxxxxxxxxxxxxxx/>
https://bugzilla.novell.com/show_bug.cgi?id=487627
User nbetcher@xxxxxxxxx added comment
https://bugzilla.novell.com/show_bug.cgi?id=487627#c5
Summary: PHP out of date
Classification: openSUSE
Product: openSUSE 11.1
Version: Final
Platform: i686
OS/Version: openSUSE 11.1
Status: NEW
Severity: Major
Priority: P5 - None
Component: Apache
AssignedTo: bnc-team-apache@xxxxxxxxxxxxxxxxxxxxxx
ReportedBy: nbetcher@xxxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
OpenSuSE 11.1 does not contain the most recent version of php5. In fact not
even 'factory' has anything newer than 5.2.6. This poses a fairly large
security problem for any openSuSE 11.1 server on the internet that is
configured to use the LAMP setup due to the fact that 5.2.x releases are
primarily security updates. Additionally apache2 is slightly out-of-date, but
the security reports are not critical. Listed in the additional information
section are the security reports from Nessus regarding the out-of-date PHP
versions.
Reproducible: Always
Steps to Reproduce:
N/A
Actual Results:
Security vulnerabilities
Expected Results:
Faster minor/patch releases and slow major releases.
Less critical:
PHP < 5.2.9 Multiple Vulnerabilities
Synopsis :
The remote web server uses a version of PHP that is affected by
multiple flaws.
Description :
According to its banner, the version of PHP installed on the remote
host is older than 5.2.9. Such versions may be affected by several
security issues :
- Background color is not correctly validated with a non true
color image in function 'imagerotate()'. (CVE-2008-5498)
- A denial of service condition can be triggered by trying to
extract zip files that contain files with relative paths
in file or directory names.
- Function 'explode()' is affected by an unspecified
vulnerability.
- It may be possible to trigger a segfault by passing a
specially crafted string to function 'json_decode()'.
- Function 'xml_error_string()' is affected by a flaw
which results in messages being off by one.
See also :
http://news.php.net/php.internals/42762
http://www.php.net/releases/5_2_9.php
http://www.php.net/ChangeLog-5.php#5.2.9
Solution :
Upgrade to PHP version 5.2.9 or later.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
Plugin output :
PHP version 5.2.6 appears to be running on the remote host based on
the following X-Powered-By response header :
X-Powered-By: PHP/5.2.6
CVE : CVE-2008-5498
BID : 33002, 33927
Other references : OSVDB:51031, Secunia:34081
Nessus ID : 35750
Critical:
PHP 5 < 5.2.7 Multiple Vulnerabilities
Synopsis :
The remote web server uses a version of PHP that is affected by
multiple flaws.
Description :
According to its banner, the version of PHP installed on the remote
host is older than 5.2.7. Such versions may be affected by several
security issues :
- File truncation can occur when calling 'dba_replace()'
with an invalid argument.
- There is a buffer overflow in the bundled PCRE library
fixed by 7.8. (CVE-2008-2371)
- A buffer overflow in the 'imageloadfont()' function in
'ext/gd/gd.c' can be triggered when a specially crafted
font is given. (CVE-2008-3658)
- There is a buffer overflow in PHP's internal function
'memnstr()', which is exposed to userspace as
'explode()'. (CVE-2008-3659)
- When used as a FastCGI module, PHP segfaults when
opening a file whose name contains two dots (eg,
'file..php'). (CVE-2008-3660)
- Multiple directory traversal vulnerabilities in
functions such as 'posix_access()', 'chdir()', 'ftok()'
may allow a remote attacker to bypass 'safe_mode'
restrictions. (CVE-2008-2665 and CVE-2008-2666).
- A buffer overflow may be triggered when processing long
message headers in 'php_imap.c' due to use of an
obsolete API call. (CVE-2008-2829)
- A heap-based buffer overflow may be triggered via
a call to 'mb_check_encoding()', part of the 'mbstring'
extension. (CVE-2008-5557)
- Missing initialization of 'BG(page_uid)' and
'BG(page_gid)' when PHP is used as an Apache module
may allow for bypassing security restriction due to
SAPI 'php_getuid()' overloading. (CVE-2008-5624)
- Incorrect 'php_value' order for Apache configuration
may allow bypassing PHP's 'safe_mode' setting.
(CVE-2008-5625)
- The ZipArchive:extractTo() method in the ZipArchive
extension fails to filter directory traversal
sequences from file names. (CVE-2008-5658)
See also :
http://securityreason.com/achievement_securityalert/57
http://securityreason.com/achievement_securityalert/58
http://securityreason.com/achievement_securityalert/59
http://www.sektioneins.de/advisories/SE-2008-06.txt
http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html
http://www.openwall.com/lists/oss-security/2008/08/08/2
http://www.openwall.com/lists/oss-security/2008/08/13/8
http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html
http://bugs.php.net/bug.php?id=42862
http://bugs.php.net/bug.php?id=45151
http://bugs.php.net/bug.php?id=45722
http://www.php.net/releases/5_2_7.php
http://www.php.net/ChageLog-5.php#5.2.7
Solution :
Upgrade to PHP version 5.2.8 or later.
Note that 5.2.7 was been removed from distribution because of a
regression in that version that results in the 'magic_quotes_gpc'
setting remaining off even if it was set to on.
Risk factor :
High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Plugin output :
PHP version 5.2.6 appears to be running on the remote host based on
the following X-Powered-By response header :
X-Powered-By: PHP/5.2.6
CVE : CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829,
CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624,
CVE-2008-5625, CVE-2008-5658
BID : 29796, 29797, 29829, 30087, 30649, 31612, 32383, 32625, 32688, 32948
Other references : OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641,
OSVDB:46690, OSVDB:47796, OSVDB:47797, OSVDB:47798
Nessus ID : 35043
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
User nbetcher@xxxxxxxxx added comment
https://bugzilla.novell.com/show_bug.cgi?id=487627#c5
Summary: PHP out of date
Classification: openSUSE
Product: openSUSE 11.1
Version: Final
Platform: i686
OS/Version: openSUSE 11.1
Status: NEW
Severity: Major
Priority: P5 - None
Component: Apache
AssignedTo: bnc-team-apache@xxxxxxxxxxxxxxxxxxxxxx
ReportedBy: nbetcher@xxxxxxxxx
QAContact: qa@xxxxxxx
Found By: ---
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7)
Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
OpenSuSE 11.1 does not contain the most recent version of php5. In fact not
even 'factory' has anything newer than 5.2.6. This poses a fairly large
security problem for any openSuSE 11.1 server on the internet that is
configured to use the LAMP setup due to the fact that 5.2.x releases are
primarily security updates. Additionally apache2 is slightly out-of-date, but
the security reports are not critical. Listed in the additional information
section are the security reports from Nessus regarding the out-of-date PHP
versions.
Reproducible: Always
Steps to Reproduce:
N/A
Actual Results:
Security vulnerabilities
Expected Results:
Faster minor/patch releases and slow major releases.
Less critical:
PHP < 5.2.9 Multiple Vulnerabilities
Synopsis :
The remote web server uses a version of PHP that is affected by
multiple flaws.
Description :
According to its banner, the version of PHP installed on the remote
host is older than 5.2.9. Such versions may be affected by several
security issues :
- Background color is not correctly validated with a non true
color image in function 'imagerotate()'. (CVE-2008-5498)
- A denial of service condition can be triggered by trying to
extract zip files that contain files with relative paths
in file or directory names.
- Function 'explode()' is affected by an unspecified
vulnerability.
- It may be possible to trigger a segfault by passing a
specially crafted string to function 'json_decode()'.
- Function 'xml_error_string()' is affected by a flaw
which results in messages being off by one.
See also :
http://news.php.net/php.internals/42762
http://www.php.net/releases/5_2_9.php
http://www.php.net/ChangeLog-5.php#5.2.9
Solution :
Upgrade to PHP version 5.2.9 or later.
Risk factor :
Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
Plugin output :
PHP version 5.2.6 appears to be running on the remote host based on
the following X-Powered-By response header :
X-Powered-By: PHP/5.2.6
CVE : CVE-2008-5498
BID : 33002, 33927
Other references : OSVDB:51031, Secunia:34081
Nessus ID : 35750
Critical:
PHP 5 < 5.2.7 Multiple Vulnerabilities
Synopsis :
The remote web server uses a version of PHP that is affected by
multiple flaws.
Description :
According to its banner, the version of PHP installed on the remote
host is older than 5.2.7. Such versions may be affected by several
security issues :
- File truncation can occur when calling 'dba_replace()'
with an invalid argument.
- There is a buffer overflow in the bundled PCRE library
fixed by 7.8. (CVE-2008-2371)
- A buffer overflow in the 'imageloadfont()' function in
'ext/gd/gd.c' can be triggered when a specially crafted
font is given. (CVE-2008-3658)
- There is a buffer overflow in PHP's internal function
'memnstr()', which is exposed to userspace as
'explode()'. (CVE-2008-3659)
- When used as a FastCGI module, PHP segfaults when
opening a file whose name contains two dots (eg,
'file..php'). (CVE-2008-3660)
- Multiple directory traversal vulnerabilities in
functions such as 'posix_access()', 'chdir()', 'ftok()'
may allow a remote attacker to bypass 'safe_mode'
restrictions. (CVE-2008-2665 and CVE-2008-2666).
- A buffer overflow may be triggered when processing long
message headers in 'php_imap.c' due to use of an
obsolete API call. (CVE-2008-2829)
- A heap-based buffer overflow may be triggered via
a call to 'mb_check_encoding()', part of the 'mbstring'
extension. (CVE-2008-5557)
- Missing initialization of 'BG(page_uid)' and
'BG(page_gid)' when PHP is used as an Apache module
may allow for bypassing security restriction due to
SAPI 'php_getuid()' overloading. (CVE-2008-5624)
- Incorrect 'php_value' order for Apache configuration
may allow bypassing PHP's 'safe_mode' setting.
(CVE-2008-5625)
- The ZipArchive:extractTo() method in the ZipArchive
extension fails to filter directory traversal
sequences from file names. (CVE-2008-5658)
See also :
http://securityreason.com/achievement_securityalert/57
http://securityreason.com/achievement_securityalert/58
http://securityreason.com/achievement_securityalert/59
http://www.sektioneins.de/advisories/SE-2008-06.txt
http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0238.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-06/0239.html
http://www.openwall.com/lists/oss-security/2008/08/08/2
http://www.openwall.com/lists/oss-security/2008/08/13/8
http://archives.neohapsis.com/archives/fulldisclosure/2008-11/0433.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0089.html
http://bugs.php.net/bug.php?id=42862
http://bugs.php.net/bug.php?id=45151
http://bugs.php.net/bug.php?id=45722
http://www.php.net/releases/5_2_7.php
http://www.php.net/ChageLog-5.php#5.2.7
Solution :
Upgrade to PHP version 5.2.8 or later.
Note that 5.2.7 was been removed from distribution because of a
regression in that version that results in the 'magic_quotes_gpc'
setting remaining off even if it was set to on.
Risk factor :
High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
Plugin output :
PHP version 5.2.6 appears to be running on the remote host based on
the following X-Powered-By response header :
X-Powered-By: PHP/5.2.6
CVE : CVE-2008-2371, CVE-2008-2665, CVE-2008-2666, CVE-2008-2829,
CVE-2008-3658, CVE-2008-3659, CVE-2008-3660, CVE-2008-5557, CVE-2008-5624,
CVE-2008-5625, CVE-2008-5658
BID : 29796, 29797, 29829, 30087, 30649, 31612, 32383, 32625, 32688, 32948
Other references : OSVDB:46584, OSVDB:46638, OSVDB:46639, OSVDB:46641,
OSVDB:46690, OSVDB:47796, OSVDB:47797, OSVDB:47798
Nessus ID : 35043
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
| < Previous | Next > |