From:
[email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------ Debian Security Advisory DSA-1940-1
[email protected] http://www.debian.org/security/ Stefan Fritsch November 25, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : php5
Vulnerability : multiple issues
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-2626 CVE-2009-2687 CVE-2009-3291 CVE-2009-3292
Debian bugs : 535888 540605 527560
Several remote vulnerabilities have been discovered in the PHP 5
hypertext preprocessor. The Common Vulnerabilities and Exposures
project identifies the following problems:
The following issues have been fixed in both the stable (lenny)
and the oldstable (etch) distributions:
CVE-2009-2687 CVE-2009-3292
The exif module did not properly handle malformed jpeg files,
allowing an attacker to cause a segfault, resulting in a denial
of service.
CVE-2009-3291
The php_openssl_apply_verification_policy() function did not
properly perform certificate validation.
No CVE id yet
Bogdan Calin discovered that a remote attacker could cause a denial
of service by uploading a large number of files in using multipart/
form-data requests, causing the creation of a large number of
temporary files.
To address this issue, the max_file_uploads option introduced in PHP
5.3.1 has been backported. This option limits the maximum number of
files uploaded per request. The default value for this new option is
50. See NEWS.Debian for more information.
The following issue has been fixed in the stable (lenny) distribution:
CVE-2009-2626
A flaw in the ini_restore() function could lead to a memory
disclosure, possibly leading to the disclosure of sensitive data.
In the oldstable (etch) distribution, this update also fixes a regression introduced by the fix for CVE-2008-5658 in DSA-1789-1 (bug #527560).
For the stable distribution (lenny), these problems have been fixed in
version 5.2.6.dfsg.1-1+lenny4.
The oldstable distribution (etch), these problems have been fixed in
version 5.2.0+dfsg-8+etch16.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed in version 5.2.11.dfsg.1-2.
We recommend that you upgrade your php5 packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 (oldstable) alias etch
- -------------------------------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/p/php5/php5_5.2.0+dfsg.orig.tar.gz
Size/MD5 checksum: 8431973 956486a588c577616a5008d185e84968
http://security.debian.org/pool/updates/main/p/php5/php5_5.2.0+dfsg-8+etch16.dsc
Size/MD5 checksum: 2002 7b5aa6deaeba26e4c5cf3bb6ae33c27b
http://security.debian.org/pool/updates/main/p/php5/php5_5.2.0+dfsg-8+etch16.diff.gz
Size/MD5 checksum: 134709 612732624d30561ad7dea430903a2807
Architecture independent packages:
http://security.debian.org/pool/updates/main/p/php5/php5_5.2.0+dfsg-8+etch16_all.deb
Size/MD5 checksum: 1044 64a93759ca8a44ce1499fb425af5ba7d
http://security.debian.org/pool/updates/main/p/php5/php-pear_5.2.0+dfsg-8+etch16_all.deb
Size/MD5 checksum: 310830 7919b140eee8f8f2e10fedd41fd14fd6
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/p/php5/php5-mhash_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 5318 a07734d09bbc26ceb28ebcd9b1ffc1f1
http://security.debian.org/pool/updates/main/p/php5/php5-curl_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 24970 5d6004f15fe242fccd6c4a182025bcca
http://security.debian.org/pool/updates/main/p/php5/php5-mcrypt_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 13476 1ec0f17e50e295fca526dfe06a362f92
http://security.debian.org/pool/updates/main/p/php5/php5-ldap_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 18610 92848fda2bdb624c9f3a7056077867cc
http://security.debian.org/pool/updates/main/p/php5/libapache2-mod-php5_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 2488466 96a5738358c120ddc413bc953d365623
http://security.debian.org/pool/updates/main/p/php5/php5-xmlrpc_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 40292 51458abe32e534379fa70daa94a1be66
http://security.debian.org/pool/updates/main/p/php5/php5-pspell_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 9052 dd0be76eb4566fa6ee6a814e9b2396a5
http://security.debian.org/pool/updates/main/p/php5/php5-sqlite_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 38544 037e4dd443d68eb25435e4b245f5bae1
http://security.debian.org/pool/updates/main/p/php5/php5-cli_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 2412676 1ae4f6ba6f50e2c216876c485eeb108a
http://security.debian.org/pool/updates/main/p/php5/php5-recode_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 4948 4e19e8a2376c9a24f27cada6cdc9b0d1
http://security.debian.org/pool/updates/main/p/php5/php5-cgi_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 4790194 0ba2321b5a2c43b08be044ee2c015228
http://security.debian.org/pool/updates/main/p/php5/php5-imap_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 36514 1c5ecae2bd1dd1c8d51739f686929d6f
http://security.debian.org/pool/updates/main/p/php5/php5-mysql_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 70746 130c3501ffc77604dd8db9a4ce0d2197
http://security.debian.org/pool/updates/main/p/php5/php5-tidy_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 17542 a8380c6c895c2fdbd0b53d5afe304da0
http://security.debian.org/pool/updates/main/p/php5/php5-sybase_5.2.0+dfsg-8+etch16_alpha.deb
Size/MD5 checksum: 19594 24b726bd51ccf6298f252f632df66fae
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)