[ MDVSA-2009:024 ] php4
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:024
http://www.mandriva.com/security/
_______________________________________________________________________
Package : php4
Date : January 21, 2009
Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A buffer overflow in the imageloadfont() function in PHP allowed
context-dependent attackers to cause a denial of service (crash)
and potentially execute arbitrary code via a crafted font file
(CVE-2008-3658).
A buffer overflow in the memnstr() function allowed context-dependent
attackers to cause a denial of service (crash) and potentially execute
arbitrary code via the delimiter argument to the explode() function
(CVE-2008-3659).
PHP, when used as a FastCGI module, allowed remote attackers to cause
a denial of service (crash) via a request with multiple dots preceding
the extension (CVE-2008-3660).
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3658
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
_______________________________________________________________________
Updated Packages:
Corporate 3.0:
acf26c8efc90342d906e59c0444bd46a
corporate/3.0/i586/libphp_common432-4.3.4-4.29.C30mdk.i586.rpm
f7cf98731681e6af45aca3dd2246c0f7
corporate/3.0/i586/php432-devel-4.3.4-4.29.C30mdk.i586.rpm
8f8d00fa42b95a28e77d600d081c95d9
corporate/3.0/i586/php-cgi-4.3.4-4.29.C30mdk.i586.rpm
d6b96c7cf8d6416ec3d8bb111c4440da
corporate/3.0/i586/php-cli-4.3.4-4.29.C30mdk.i586.rpm
57b308993c4e4635f343d4ef0d36a6c2
corporate/3.0/SRPMS/php-4.3.4-4.29.C30mdk.src.rpm
Corporate 3.0/X86_64:
8164e4bfb1a7ffb5fd1bca2afcaef9ef
corporate/3.0/x86_64/lib64php_common432-4.3.4-4.29.C30mdk.x86_64.rpm
625a98ec0ec42052ffbb9da5f8b9caca
corporate/3.0/x86_64/php432-devel-4.3.4-4.29.C30mdk.x86_64.rpm
5b3143860009e7cf82f323e45f575324
corporate/3.0/x86_64/php-cgi-4.3.4-4.29.C30mdk.x86_64.rpm
48bff6270d231dffc8a5fbfbe0d1630e
corporate/3.0/x86_64/php-cli-4.3.4-4.29.C30mdk.x86_64.rpm
57b308993c4e4635f343d4ef0d36a6c2
corporate/3.0/SRPMS/php-4.3.4-4.29.C30mdk.src.rpm
Corporate 4.0:
828884555043ebbf5af7d91d8a6401ad
corporate/4.0/i586/libphp4_common4-4.4.4-1.9.20060mlcs4.i586.rpm
ac0b8ea0e61fdda9e8716fde02f25100
corporate/4.0/i586/php4-cgi-4.4.4-1.9.20060mlcs4.i586.rpm
19eddb6987778bee19f9978cc59cb54b
corporate/4.0/i586/php4-cli-4.4.4-1.9.20060mlcs4.i586.rpm
4ea6bb54f1ea066cd6ee29d894d9a0fd
corporate/4.0/i586/php4-devel-4.4.4-1.9.20060mlcs4.i586.rpm
dc2d58cb2ed98936ec15dc030689fb14
corporate/4.0/SRPMS/php4-4.4.4-1.9.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
60d3900495dd46161a6ba20fdbdfdd7d
corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.9.20060mlcs4.x86_64.rpm
60e039c9d60030616e4f05c81ea29455
corporate/4.0/x86_64/php4-cgi-4.4.4-1.9.20060mlcs4.x86_64.rpm
f8e9e9faf82d8edbe2d9bf88572f2311
corporate/4.0/x86_64/php4-cli-4.4.4-1.9.20060mlcs4.x86_64.rpm
5561a9c77979daf567d1acffc73d4918
corporate/4.0/x86_64/php4-devel-4.4.4-1.9.20060mlcs4.x86_64.rpm
dc2d58cb2ed98936ec15dc030689fb14
corporate/4.0/SRPMS/php4-4.4.4-1.9.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
0183137a3353b21a77e147b745d21ec4
mnf/2.0/i586/libphp_common432-4.3.4-4.29.C30mdk.i586.rpm
1173011f1e24f85619f78966b1533e11
mnf/2.0/i586/php-cgi-4.3.4-4.29.C30mdk.i586.rpm
b726b9c13b620a12c5e8603c197d76c9
mnf/2.0/i586/php-cli-4.3.4-4.29.C30mdk.i586.rpm
87805cd270bffde644fee3ec29ecfd54 mnf/2.0/SRPMS/php-4.3.4-4.29.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJd55+mqjQ0CJFipgRAmtGAJ45ZVHxX/mQROiWu/W+EmPyT+UwFgCfRdDR
jaoTCVqDPgqPjX/k4OYu1Vk=
=fHY4
-----END PGP SIGNATURE-----