Oval Definition:oval:org.mitre.oval:def:13696
Revision Date:2014-06-23Version:21
Title:DSA-1789-1 php5 -- several
Description:Several remote vulnerabilities have been discovered in the PHP 5 hypertext preprocessor. The Common Vulnerabilities and Exposures project identifies the following problems. The following four vulnerabilities have already been fixed in the stable version of php5 prior to the release of lenny. This update now addresses them for etch aswell: CVE-2008-2107 / CVE-2008-2108 The GENERATE_SEED macro has several problems that make predicting generated random numbers easier, facilitating attacks against measures that use rand or mt_rand as part of a protection. CVE-2008-5557 A buffer overflow in the mbstring extension allows attackers to execute arbitrary code via a crafted string containing an HTML entity. CVE-2008-5624 The page_uid and page_gid variables are not correctly set, allowing use of some functionality intended to be restricted to root. CVE-2008-5658 Directory traversal vulnerability in the ZipArchive::extractTo function allows attackers to write arbitrary files via a ZIP file with a file whose name contains sequences. This update also addresses the following three vulnerabilities for both oldstable and stable: CVE-2008-5814 Cross-site scripting vulnerability, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML. CVE-2009-0754 When running on Apache, PHP allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server. CVE-2009-1271 the JSON_parser function allows a denial of service via a malformed string to the json_decode API function. Furthermore, two updates originally scheduled for the next point update for oldstable are included in the etch package: * Let PHP use the system timezone database instead of the embedded timezone database which is out of date. * From the source tarball, the unused "dbase" module has been removed which contained licensing problems. For the old stable distribution, these problems have been fixed in version 5.2.0+dfsg-8+etch15. For the stable distribution, these problems have been fixed in version 5.2.6.dfsg.1-1+lenny3. For the unstable distribution, these problems have been fixed in version 5.2.9.dfsg.1-1. We recommend that you upgrade your php5 package.
Family:unixClass:patch
Status:ACCEPTEDReference(s):CVE-2008-2107
CVE-2008-2108
CVE-2008-5557
CVE-2008-5624
CVE-2008-5658
CVE-2008-5814
CVE-2009-0754
CVE-2009-1271
DSA-1789-1
Platform(s):Debian GNU/Linux 4.0
Debian GNU/Linux 5.0
Product(s):php5
Definition Synopsis
  • Release section
  • Debian GNU/Linux 5.0 is installed
  • AND Architecture section
  • Architecture independent section
  • Installed architecture is all
  • AND Packages section
  • php5 DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php-pear DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR Architecture depended section
  • Supported architectures section
  • Installed architecture is s390
  • OR Installed architecture is amd64
  • OR Installed architecture is sparc
  • OR Installed architecture is arm
  • OR Installed architecture is i386
  • OR Installed architecture is armel
  • OR Installed architecture is mips
  • OR Installed architecture is ia64
  • OR Installed architecture is alpha
  • OR Installed architecture is powerpc
  • OR Installed architecture is mipsel
  • OR Installed architecture is hppa
  • AND Packages section
  • php5-recode DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-xmlrpc DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-curl DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-snmp DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-mysql DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-odbc DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-xsl DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-gd DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR libapache2-mod-php5 DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-mhash DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-tidy DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-mcrypt DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-dev DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-pgsql DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-gmp DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-cgi DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-imap DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-sqlite DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-ldap DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-cli DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-sybase DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR libapache2-mod-php5filter DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-pspell DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-common DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR php5-dbg DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR Architecture depended section
  • Supported architectures section
  • Installed architecture is sparc
  • OR Installed architecture is powerpc
  • OR Installed architecture is i386
  • OR Installed architecture is amd64
  • AND php5-interbase DPKG is earlier than 5.2.6.dfsg.1-1+lenny3
  • OR Release section
  • Debian GNU/Linux 4.0 is installed.
  • AND Architecture section
  • Architecture independent section
  • Installed architecture is all
  • AND Packages section
  • php5 DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php-pear DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR libapache-mod-php5 DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-recode DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-cgi DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-curl DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-snmp DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-mysql DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-odbc DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-xsl DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-gd DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR libapache2-mod-php5 DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-mhash DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-tidy DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-mcrypt DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-dev DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-pgsql DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-xmlrpc DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-imap DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-sqlite DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-ldap DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-cli DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-sybase DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-pspell DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR php5-common DPKG is earlier than 5.2.0+dfsg-8+etch15
  • OR Architecture depended section
  • Supported architectures section
  • Installed architecture is i386
  • OR Installed architecture is amd64
  • AND php5-interbase DPKG is earlier than 5.2.0+dfsg-8+etch15
    • BACK