[Secure-testing-commits] r1890 - data/DTSA/advs
Neil McGovern
neilm at costa.debian.org
Fri Sep 9 22:53:14 UTC 2005
Author: neilm
Date: 2005-09-09 22:53:14 +0000 (Fri, 09 Sep 2005)
New Revision: 1890
Added:
data/DTSA/advs/16-php4.adv
Log:
PHP .adv
Added: data/DTSA/advs/16-php4.adv
===================================================================
--- data/DTSA/advs/16-php4.adv 2005-09-09 22:01:18 UTC (rev 1889)
+++ data/DTSA/advs/16-php4.adv 2005-09-09 22:53:14 UTC (rev 1890)
@@ -0,0 +1,35 @@
+source: php4
+date: September 10th, 2005
+author: Neil McGovern
+vuln-type: several vulnerabilities
+problem-scope: remote/local
+debian-specifc: no
+cve: CAN-2005-1751 CAN-2005-1921 CAN-2005-2498
+vendor-advisory:
+testing-fix: 4.3.10-16etch1
+sid-fix: 4.4.0-2
+upgrade: apt-get upgrade
+
+Several security related problems have been found in PHP4, the
+server-side, HTML-embedded scripting language. The Common
+Vulnerabilities and Exposures project identifies the following
+problems:
+
+CAN-2005-1751
+
+ Eric Romang discovered insecure temporary files in the shtool
+ utility shipped with PHP that can exploited by a local attacker to
+ overwrite arbitrary files. Only this vulnerability affects
+ packages in oldstable.
+
+CAN-2005-1921
+
+ GulfTech has discovered that PEAR XML_RPC is vulnerable to a
+ remote PHP code execution vulnerability that may allow an attacker
+ to compromise a vulnerable server.
+
+CAN-2005-2498
+
+ Stefan Esser discovered another vulnerability in the XML-RPC
+ libraries that allows injection of arbitrary PHP code into eval()
+ statements.
More information about the Secure-testing-commits
mailing list