https://www.eweek.com/security/debian-and-php-pear-projects-update-for-application-vulnerabilities
By Sean Michael Kerner
eWeek.com
January 25, 2019
Time and again, security experts and vendors alike will recommend to
organizations and end users to keep software and systems updated with the
latest patches.
But what happens when the application infrastructure that is supposed to
deliver those patches itself is at risk? That's what open-source and Linux
users were faced with this past week with a pair of projects reporting
vulnerabilities.
On Jan. 22, the Debian Linux distribution reported a vulnerability in its APT
package manager that is used by end users and organizations to get application
updates. That disclosure was followed a day later, on Jan. 23, with the PHP
PEAR (PHP Extension and Application Repository) shutting down its primary
website, warning that it was the victim of a data breach. PHP PEAR is a package
manager that is included with many Linux distributions as part of the
open-source PHP programming language binaries.
Debian is a popular Linux distribution and also serves as the base for multiple
other Linux distributions, including Ubuntu. The Debian APT vulnerability,
identified as CVE-2019-3462, was first reported by researcher Max Justicz, who
described the vulnerability as a remote code execution risk.
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
