[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

250038

 
 

909

 
 

195843

 
 

282

Paid content will be excluded from the download.


Download | Alert*
OVAL

DSA-2089-1 php5 -- several

ID: oval:org.secpod.oval:def:600063Date: (C)2011-01-28   (M)2022-10-10
Class: PATCHFamily: unix




Several remote vulnerabilities have been discovered in PHP 5, an hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-1917 The fnmatch function can be abused to conduct denial of service attacks by the means of a stack overflow. CVE-2010-2225 The SplObjectStorage unserializer allows attackers to execute arbitrary code via serialized data by the means of a use-after-free vulnerability. MOPS-60 The default sessions serializer does not correctly handle a special marker, which allows an attacker to inject arbitrary variables into the session and possibly exploit vulnerabilities in the unserializer. For the vulnerability described by CVE-2010-1128 we do not consider upstream"s solution to be sufficient. It is recommended to uncomment the "session.entropy_file" and "session.entropy_length" settings in the php.ini files. Further improvements can be achieved by setting "session.hash_function" to 1 and incrementing the value of "session.entropy_length." For the stable distribution , these problems have been fixed in version 5.2.6.dfsg.1-1+lenny9. For the testing distribution and the unstable distribution , these problems will be fixed soon. We recommend that you upgrade your php5 packages.

Platform:
Debian 5.0
Product:
php5
Reference:
DSA-2089-1
CVE-2010-1917
CVE-2010-2225
CVE-2010-1128
CVE    3
CVE-2010-1917
CVE-2010-1128
CVE-2010-2225
CPE    1
cpe:/o:debian:debian_linux:5.x

© SecPod Technologies