-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2007.020 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2007.020 Advisory Published: 2007-06-01 14:10 UTC Issue Id (internal): OpenPKG-SI-20070601.01 Issue First Created: 2007-06-01 Issue Last Modified: 2007-06-01 Issue Revision: 02 ____________________________________________________________________________ Subject Name: php Security fixes Subject Summary: Security Fixes Subject Home: - Subject Versions: php5.* <= 5.2.3 Vulnerability Id: CVE-2007-2872, CVE-2007-2756 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service, exposure of sensitive information, arbitrary code execution Description: According to a vendor release announcement [0] multiple security Enhancements and Fixes were fixed in version 5.2.3 of the programming language PHP [1]. Fixes that apply to the OpenPKG Enterprise 1 packages were extraced and backported. The readfile() funciton allows checking the existence of files anywhere in the filesystem. circumventing the open_basedir restriction. (http://bugs.php.net/bug.php?id=41492) Fixed possible infinite loop in imagecreatefrompng. (Xavier Roche) (CVE-2007-2756) Fixed an integer overflow inside chunk_split() (Gerhard Wagner) (CVE-2007-2872) References: [0] http://www.php.net/releases/5_2_3.php [1] http://www.php.net/ ____________________________________________________________________________ Primary Package Name: php Primary Package Home: http://openpkg.org/go/package/php Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID apache-1.3.37-E1.0.6 OpenPKG Enterprise E1.0-SOLID php-5.1.6-E1.0.4 OpenPKG Community CURRENT apache-1.3.37-20070601 OpenPKG Community CURRENT apache2-php-5.2.3-20070601 OpenPKG Community CURRENT php-5.2.3-20070601 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from http://openpkg.com/openpkg.com.pgp or retrieve from the OpenPGP keyserver at hkp://pgp.openpkg.org/. Follow the instructions at http://openpkg.com/security/signatures/ for more details on how to verify the integrity of this document. ____________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH <http://openpkg.com/> iD8DBQFGYAy3ZwQuyWG3rjQRAiYNAJ45r0YfBhnsIdTfGGKOwWT6XDi0/wCfUY+8 QnXdFKPBu0unwvT8LByR2eM= =4f0n -----END PGP SIGNATURE-----
