Date: 31 January 2012
References: ASB-2011.0066 ESB-2011.1099 ESB-2012.0054 ESB-2012.0120 ESB-2012.0121
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0096
Moderate: php security update
31 January 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: php
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux AS/ES/WS 4
Red Hat Enterprise Linux Desktop 4
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Create Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-4885 CVE-2011-4566 CVE-2011-2202
CVE-2011-1466 CVE-2011-0708
Reference: ESB-2012.0054
ASB-2011.0066
ESB-2011.1099
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: php security update
Advisory ID: RHSA-2012:0071-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0071.html
Issue date: 2012-01-30
CVE Names: CVE-2011-0708 CVE-2011-1466 CVE-2011-2202
CVE-2011-4566 CVE-2011-4885
=====================================================================
1. Summary:
Updated php packages that fix several security issues are now available for
Red Hat Enterprise Linux 4.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
3. Description:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.
It was found that the hashing routine used by PHP arrays was susceptible
to predictable hash collisions. If an HTTP POST request to a PHP
application contained many parameters whose names map to the same hash
value, a large amount of CPU time would be consumed. This flaw has been
mitigated by adding a new configuration directive, max_input_vars, that
limits the maximum number of parameters processed per request. By
default, max_input_vars is set to 1000. (CVE-2011-4885)
An integer overflow flaw was found in the PHP exif extension. On 32-bit
systems, a specially-crafted image file could cause the PHP interpreter to
crash or disclose portions of its memory when a PHP script tries to extract
Exchangeable image file format (Exif) metadata from the image file.
(CVE-2011-4566)
An insufficient input validation flaw, leading to a buffer over-read, was
found in the PHP exif extension. A specially-crafted image file could cause
the PHP interpreter to crash when a PHP script tries to extract
Exchangeable image file format (Exif) metadata from the image file.
(CVE-2011-0708)
An integer overflow flaw was found in the PHP calendar extension. A remote
attacker able to make a PHP script call SdnToJulian() with a large value
could cause the PHP interpreter to crash. (CVE-2011-1466)
An off-by-one flaw was found in PHP. If an attacker uploaded a file with a
specially-crafted file name it could cause a PHP script to attempt to write
a file to the root (/) directory. By default, PHP runs as the "apache"
user, preventing it from writing to the root directory. (CVE-2011-2202)
Red Hat would like to thank oCERT for reporting CVE-2011-4885. oCERT
acknowledges Julian Wälde and Alexander Klink as the original reporters of
CVE-2011-4885.
All php users should upgrade to these updated packages, which contain
backported patches to resolve these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
680972 - CVE-2011-0708 php: buffer over-read in Exif extension
689386 - CVE-2011-1466 php: Crash by converting serial day numbers (SDN) into Julian calendar
713194 - CVE-2011-2202 php: file path injection vulnerability in RFC1867 file upload filename
750547 - CVE-2011-4885 php: hash table collisions CPU usage DoS (oCERT-2011-003)
758413 - CVE-2011-4566 php: integer overflow in exif_process_IFD_TAG() may lead to DoS or arbitrary memory disclosure
6. Package List:
Red Hat Enterprise Linux AS version 4:
Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/php-4.3.9-3.35.src.rpm
i386:
php-4.3.9-3.35.i386.rpm
php-debuginfo-4.3.9-3.35.i386.rpm
php-devel-4.3.9-3.35.i386.rpm
php-domxml-4.3.9-3.35.i386.rpm
php-gd-4.3.9-3.35.i386.rpm
php-imap-4.3.9-3.35.i386.rpm
php-ldap-4.3.9-3.35.i386.rpm
php-mbstring-4.3.9-3.35.i386.rpm
php-mysql-4.3.9-3.35.i386.rpm
php-ncurses-4.3.9-3.35.i386.rpm
php-odbc-4.3.9-3.35.i386.rpm
php-pear-4.3.9-3.35.i386.rpm
php-pgsql-4.3.9-3.35.i386.rpm
php-snmp-4.3.9-3.35.i386.rpm
php-xmlrpc-4.3.9-3.35.i386.rpm
ia64:
php-4.3.9-3.35.ia64.rpm
php-debuginfo-4.3.9-3.35.ia64.rpm
php-devel-4.3.9-3.35.ia64.rpm
php-domxml-4.3.9-3.35.ia64.rpm
php-gd-4.3.9-3.35.ia64.rpm
php-imap-4.3.9-3.35.ia64.rpm
php-ldap-4.3.9-3.35.ia64.rpm
php-mbstring-4.3.9-3.35.ia64.rpm
php-mysql-4.3.9-3.35.ia64.rpm
php-ncurses-4.3.9-3.35.ia64.rpm
php-odbc-4.3.9-3.35.ia64.rpm
php-pear-4.3.9-3.35.ia64.rpm
php-pgsql-4.3.9-3.35.ia64.rpm
php-snmp-4.3.9-3.35.ia64.rpm
php-xmlrpc-4.3.9-3.35.ia64.rpm
ppc:
php-4.3.9-3.35.ppc.rpm
php-debuginfo-4.3.9-3.35.ppc.rpm
php-devel-4.3.9-3.35.ppc.rpm
php-domxml-4.3.9-3.35.ppc.rpm
php-gd-4.3.9-3.35.ppc.rpm
php-imap-4.3.9-3.35.ppc.rpm
php-ldap-4.3.9-3.35.ppc.rpm
php-mbstring-4.3.9-3.35.ppc.rpm
php-mysql-4.3.9-3.35.ppc.rpm
php-ncurses-4.3.9-3.35.ppc.rpm
php-odbc-4.3.9-3.35.ppc.rpm
php-pear-4.3.9-3.35.ppc.rpm
php-pgsql-4.3.9-3.35.ppc.rpm
php-snmp-4.3.9-3.35.ppc.rpm
php-xmlrpc-4.3.9-3.35.ppc.rpm
s390:
php-4.3.9-3.35.s390.rpm
php-debuginfo-4.3.9-3.35.s390.rpm
php-devel-4.3.9-3.35.s390.rpm
php-domxml-4.3.9-3.35.s390.rpm
php-gd-4.3.9-3.35.s390.rpm
php-imap-4.3.9-3.35.s390.rpm
php-ldap-4.3.9-3.35.s390.rpm
php-mbstring-4.3.9-3.35.s390.rpm
php-mysql-4.3.9-3.35.s390.rpm
php-ncurses-4.3.9-3.35.s390.rpm
php-odbc-4.3.9-3.35.s390.rpm
php-pear-4.3.9-3.35.s390.rpm
php-pgsql-4.3.9-3.35.s390.rpm
php-snmp-4.3.9-3.35.s390.rpm
php-xmlrpc-4.3.9-3.35.s390.rpm
s390x:
php-4.3.9-3.35.s390x.rpm
php-debuginfo-4.3.9-3.35.s390x.rpm
php-devel-4.3.9-3.35.s390x.rpm
php-domxml-4.3.9-3.35.s390x.rpm
php-gd-4.3.9-3.35.s390x.rpm
php-imap-4.3.9-3.35.s390x.rpm
php-ldap-4.3.9-3.35.s390x.rpm
php-mbstring-4.3.9-3.35.s390x.rpm
php-mysql-4.3.9-3.35.s390x.rpm
php-ncurses-4.3.9-3.35.s390x.rpm
php-odbc-4.3.9-3.35.s390x.rpm
php-pear-4.3.9-3.35.s390x.rpm
php-pgsql-4.3.9-3.35.s390x.rpm
php-snmp-4.3.9-3.35.s390x.rpm
php-xmlrpc-4.3.9-3.35.s390x.rpm
x86_64:
php-4.3.9-3.35.x86_64.rpm
php-debuginfo-4.3.9-3.35.x86_64.rpm
php-devel-4.3.9-3.35.x86_64.rpm
php-domxml-4.3.9-3.35.x86_64.rpm
php-gd-4.3.9-3.35.x86_64.rpm
php-imap-4.3.9-3.35.x86_64.rpm
php-ldap-4.3.9-3.35.x86_64.rpm
php-mbstring-4.3.9-3.35.x86_64.rpm
php-mysql-4.3.9-3.35.x86_64.rpm
php-ncurses-4.3.9-3.35.x86_64.rpm
php-odbc-4.3.9-3.35.x86_64.rpm
php-pear-4.3.9-3.35.x86_64.rpm
php-pgsql-4.3.9-3.35.x86_64.rpm
php-snmp-4.3.9-3.35.x86_64.rpm
php-xmlrpc-4.3.9-3.35.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/php-4.3.9-3.35.src.rpm
i386:
php-4.3.9-3.35.i386.rpm
php-debuginfo-4.3.9-3.35.i386.rpm
php-devel-4.3.9-3.35.i386.rpm
php-domxml-4.3.9-3.35.i386.rpm
php-gd-4.3.9-3.35.i386.rpm
php-imap-4.3.9-3.35.i386.rpm
php-ldap-4.3.9-3.35.i386.rpm
php-mbstring-4.3.9-3.35.i386.rpm
php-mysql-4.3.9-3.35.i386.rpm
php-ncurses-4.3.9-3.35.i386.rpm
php-odbc-4.3.9-3.35.i386.rpm
php-pear-4.3.9-3.35.i386.rpm
php-pgsql-4.3.9-3.35.i386.rpm
php-snmp-4.3.9-3.35.i386.rpm
php-xmlrpc-4.3.9-3.35.i386.rpm
x86_64:
php-4.3.9-3.35.x86_64.rpm
php-debuginfo-4.3.9-3.35.x86_64.rpm
php-devel-4.3.9-3.35.x86_64.rpm
php-domxml-4.3.9-3.35.x86_64.rpm
php-gd-4.3.9-3.35.x86_64.rpm
php-imap-4.3.9-3.35.x86_64.rpm
php-ldap-4.3.9-3.35.x86_64.rpm
php-mbstring-4.3.9-3.35.x86_64.rpm
php-mysql-4.3.9-3.35.x86_64.rpm
php-ncurses-4.3.9-3.35.x86_64.rpm
php-odbc-4.3.9-3.35.x86_64.rpm
php-pear-4.3.9-3.35.x86_64.rpm
php-pgsql-4.3.9-3.35.x86_64.rpm
php-snmp-4.3.9-3.35.x86_64.rpm
php-xmlrpc-4.3.9-3.35.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/php-4.3.9-3.35.src.rpm
i386:
php-4.3.9-3.35.i386.rpm
php-debuginfo-4.3.9-3.35.i386.rpm
php-devel-4.3.9-3.35.i386.rpm
php-domxml-4.3.9-3.35.i386.rpm
php-gd-4.3.9-3.35.i386.rpm
php-imap-4.3.9-3.35.i386.rpm
php-ldap-4.3.9-3.35.i386.rpm
php-mbstring-4.3.9-3.35.i386.rpm
php-mysql-4.3.9-3.35.i386.rpm
php-ncurses-4.3.9-3.35.i386.rpm
php-odbc-4.3.9-3.35.i386.rpm
php-pear-4.3.9-3.35.i386.rpm
php-pgsql-4.3.9-3.35.i386.rpm
php-snmp-4.3.9-3.35.i386.rpm
php-xmlrpc-4.3.9-3.35.i386.rpm
ia64:
php-4.3.9-3.35.ia64.rpm
php-debuginfo-4.3.9-3.35.ia64.rpm
php-devel-4.3.9-3.35.ia64.rpm
php-domxml-4.3.9-3.35.ia64.rpm
php-gd-4.3.9-3.35.ia64.rpm
php-imap-4.3.9-3.35.ia64.rpm
php-ldap-4.3.9-3.35.ia64.rpm
php-mbstring-4.3.9-3.35.ia64.rpm
php-mysql-4.3.9-3.35.ia64.rpm
php-ncurses-4.3.9-3.35.ia64.rpm
php-odbc-4.3.9-3.35.ia64.rpm
php-pear-4.3.9-3.35.ia64.rpm
php-pgsql-4.3.9-3.35.ia64.rpm
php-snmp-4.3.9-3.35.ia64.rpm
php-xmlrpc-4.3.9-3.35.ia64.rpm
x86_64:
php-4.3.9-3.35.x86_64.rpm
php-debuginfo-4.3.9-3.35.x86_64.rpm
php-devel-4.3.9-3.35.x86_64.rpm
php-domxml-4.3.9-3.35.x86_64.rpm
php-gd-4.3.9-3.35.x86_64.rpm
php-imap-4.3.9-3.35.x86_64.rpm
php-ldap-4.3.9-3.35.x86_64.rpm
php-mbstring-4.3.9-3.35.x86_64.rpm
php-mysql-4.3.9-3.35.x86_64.rpm
php-ncurses-4.3.9-3.35.x86_64.rpm
php-odbc-4.3.9-3.35.x86_64.rpm
php-pear-4.3.9-3.35.x86_64.rpm
php-pgsql-4.3.9-3.35.x86_64.rpm
php-snmp-4.3.9-3.35.x86_64.rpm
php-xmlrpc-4.3.9-3.35.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/php-4.3.9-3.35.src.rpm
i386:
php-4.3.9-3.35.i386.rpm
php-debuginfo-4.3.9-3.35.i386.rpm
php-devel-4.3.9-3.35.i386.rpm
php-domxml-4.3.9-3.35.i386.rpm
php-gd-4.3.9-3.35.i386.rpm
php-imap-4.3.9-3.35.i386.rpm
php-ldap-4.3.9-3.35.i386.rpm
php-mbstring-4.3.9-3.35.i386.rpm
php-mysql-4.3.9-3.35.i386.rpm
php-ncurses-4.3.9-3.35.i386.rpm
php-odbc-4.3.9-3.35.i386.rpm
php-pear-4.3.9-3.35.i386.rpm
php-pgsql-4.3.9-3.35.i386.rpm
php-snmp-4.3.9-3.35.i386.rpm
php-xmlrpc-4.3.9-3.35.i386.rpm
ia64:
php-4.3.9-3.35.ia64.rpm
php-debuginfo-4.3.9-3.35.ia64.rpm
php-devel-4.3.9-3.35.ia64.rpm
php-domxml-4.3.9-3.35.ia64.rpm
php-gd-4.3.9-3.35.ia64.rpm
php-imap-4.3.9-3.35.ia64.rpm
php-ldap-4.3.9-3.35.ia64.rpm
php-mbstring-4.3.9-3.35.ia64.rpm
php-mysql-4.3.9-3.35.ia64.rpm
php-ncurses-4.3.9-3.35.ia64.rpm
php-odbc-4.3.9-3.35.ia64.rpm
php-pear-4.3.9-3.35.ia64.rpm
php-pgsql-4.3.9-3.35.ia64.rpm
php-snmp-4.3.9-3.35.ia64.rpm
php-xmlrpc-4.3.9-3.35.ia64.rpm
x86_64:
php-4.3.9-3.35.x86_64.rpm
php-debuginfo-4.3.9-3.35.x86_64.rpm
php-devel-4.3.9-3.35.x86_64.rpm
php-domxml-4.3.9-3.35.x86_64.rpm
php-gd-4.3.9-3.35.x86_64.rpm
php-imap-4.3.9-3.35.x86_64.rpm
php-ldap-4.3.9-3.35.x86_64.rpm
php-mbstring-4.3.9-3.35.x86_64.rpm
php-mysql-4.3.9-3.35.x86_64.rpm
php-ncurses-4.3.9-3.35.x86_64.rpm
php-odbc-4.3.9-3.35.x86_64.rpm
php-pear-4.3.9-3.35.x86_64.rpm
php-pgsql-4.3.9-3.35.x86_64.rpm
php-snmp-4.3.9-3.35.x86_64.rpm
php-xmlrpc-4.3.9-3.35.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/#package
7. References:
https://www.redhat.com/security/data/cve/CVE-2011-0708.html
https://www.redhat.com/security/data/cve/CVE-2011-1466.html
https://www.redhat.com/security/data/cve/CVE-2011-2202.html
https://www.redhat.com/security/data/cve/CVE-2011-4566.html
https://www.redhat.com/security/data/cve/CVE-2011-4885.html
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2012 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFPJuP0XlSAg2UNWIIRAnNOAKClNo8zOfCzHt6mFA6kICm9eYZPnwCfdopP
CB73QjymTYOW3rKlctdBUlk=
=6MVP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTydvMu4yVqjM2NGpAQJJog//eDuIhQji9HzYMVu9zLAzJOmtfpHLtz6w
3HO+2Zu85cSxSiXItJAHEP/9guNFDsRlXo7p9itZUcvL3Xct7GHhgG3rixxcEV9Q
dOb3Fc95Y3Fkydbd8p+/0uMe9/fr++RarGnADXI7PRRxZw6j+11VpQn7eFf4bPyi
e60pZUFNYQyeWognPvw2MjUr/RErV8LXJQQ4mB44X5DLLRLfAeEBZ8vrI6Kr9CDe
S8PL69o9jBWEA/iVmk/Ayb77FInD1PFndih71/8y1HHer0QJcgb6iG9jKEfDWM6I
TjwePfUQnCtWivfTsh3yRO+masAf1/IG1lGB1bDdMaEv61w+SVag/DYvezSaH0Cv
60kTyOQiq3AEtuZZHMJjHldyzPex5Uuy2HHNxUA0vK6YcdQsXsYQRGcy5+Lmy6PD
oqYEYpPe4gvCXgEU5f6HeUqsSwtA68ejLDvj9DmS3fnHrO4znMB0/pdeZE9KxOSe
+JuiF+VR9PdDvs2LlGZe7xLjW+ZjY1UJsKGgMKxVFGrlJeRwDIQXWU5tGQzOB0GM
0YHk1pieML4BI+ZnT6n/vL7vbDMsQlzmPj4gClU3bAOqp8/AyDnbpX+AgVSQMAKT
5LExdTHkB2ym3gFO50CbDFXzWz41Pu6lDoNDMAVxtw9mToc5XatXynOu1/34MC/I
23pagHORGRE=
=1Thp
-----END PGP SIGNATURE-----
|