Articles / SuSE: New PHP packages fix …

SuSE: New PHP packages fix security vulnerabilities

This update of PHP5 fixes multiple security flaws. Missing checks of return values could allow remote attackers to cause a denial of service (NULL pointer dereference). Specially crafted XSLT stylesheets could allow remote attackers to create arbitrary files with arbitrary content. A stack based buffer overflow in php5’s Suhosin extension could allow remote attackers to execute arbitrary code via a long string that is used in a Set-Cookie HTTP header.

Temporary changes to the magic_quotes_gpc directive during the importing of environment variables is not properly performed which makes it easier for remote attackers to conduct SQL injections.

Updated packages are available from download.opensuse.org.

  SUSE Security Update: Security update for PHP5
  ______________________________________________________________________________

Announcement ID:    SUSE-SU-2012:0472-1
Rating:             important
References:         #741520 #741859 #743308 #746661 #749111 
Cross-References:   CVE-2011-4153 CVE-2012-0057 CVE-2012-0807
                   CVE-2012-0831
Affected Products:
                   SUSE Linux Enterprise Software Development Kit 11 SP2
                   SUSE Linux Enterprise Server 11 SP2 for VMware
                   SUSE Linux Enterprise Server 11 SP2
______________________________________________________________________________

  An update that solves four vulnerabilities and has one
  errata is now available.

Description:


  This update of PHP5 fixes multiple security flaws:

  * CVE-2011-4153, missing checks of return values could
  allow remote attackers to cause a denial of service (NULL
  pointer dereference)
  * CVE-2012-0057, specially crafted XSLT stylesheets
  could allow remote attackers to create arbitrary files with
  arbitrary content
  * CVE-2012-0807, a stack based buffer overflow in
  php5's Suhosin extension could allow remote attackers to
  execute arbitrary code via a long string that is used in a
  Set-Cookie HTTP header
  * CVE-2012-0831, temporary changes to the
  magic_quotes_gpc directive during the importing of
  environment variables is not properly performed which makes
  it easier for remote attackers to conduct SQL injections

  Security Issue references:

  * CVE-2011-4153
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4153

  * CVE-2012-0057
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0057

  * CVE-2012-0807
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807

  * CVE-2012-0831
  <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831



Patch Instructions:

  To install this SUSE Security Update use YaST online_update.
  Alternatively you can run the command listed for your product:

  - SUSE Linux Enterprise Software Development Kit 11 SP2:

     zypper in -t patch sdksp2-apache2-mod_php53-5958

  - SUSE Linux Enterprise Server 11 SP2 for VMware:

     zypper in -t patch slessp2-apache2-mod_php53-5958

  - SUSE Linux Enterprise Server 11 SP2:

     zypper in -t patch slessp2-apache2-mod_php53-5958

  To bring your system up-to-date, use "zypper patch".


Package List:

  - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64):

     php53-devel-5.3.8-0.23.1
     php53-imap-5.3.8-0.23.1
     php53-posix-5.3.8-0.23.1
     php53-readline-5.3.8-0.23.1
     php53-sockets-5.3.8-0.23.1
     php53-sqlite-5.3.8-0.23.1
     php53-tidy-5.3.8-0.23.1

  - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64):

     apache2-mod_php53-5.3.8-0.23.1
     php53-5.3.8-0.23.1
     php53-bcmath-5.3.8-0.23.1
     php53-bz2-5.3.8-0.23.1
     php53-calendar-5.3.8-0.23.1
     php53-ctype-5.3.8-0.23.1
     php53-curl-5.3.8-0.23.1
     php53-dba-5.3.8-0.23.1
     php53-dom-5.3.8-0.23.1
     php53-exif-5.3.8-0.23.1
     php53-fastcgi-5.3.8-0.23.1
     php53-fileinfo-5.3.8-0.23.1
     php53-ftp-5.3.8-0.23.1
     php53-gd-5.3.8-0.23.1
     php53-gettext-5.3.8-0.23.1
     php53-gmp-5.3.8-0.23.1
     php53-iconv-5.3.8-0.23.1
     php53-intl-5.3.8-0.23.1
     php53-json-5.3.8-0.23.1
     php53-ldap-5.3.8-0.23.1
     php53-mbstring-5.3.8-0.23.1
     php53-mcrypt-5.3.8-0.23.1
     php53-mysql-5.3.8-0.23.1
     php53-odbc-5.3.8-0.23.1
     php53-openssl-5.3.8-0.23.1
     php53-pcntl-5.3.8-0.23.1
     php53-pdo-5.3.8-0.23.1
     php53-pear-5.3.8-0.23.1
     php53-pgsql-5.3.8-0.23.1
     php53-pspell-5.3.8-0.23.1
     php53-shmop-5.3.8-0.23.1
     php53-snmp-5.3.8-0.23.1
     php53-soap-5.3.8-0.23.1
     php53-suhosin-5.3.8-0.23.1
     php53-sysvmsg-5.3.8-0.23.1
     php53-sysvsem-5.3.8-0.23.1
     php53-sysvshm-5.3.8-0.23.1
     php53-tokenizer-5.3.8-0.23.1
     php53-wddx-5.3.8-0.23.1
     php53-xmlreader-5.3.8-0.23.1
     php53-xmlrpc-5.3.8-0.23.1
     php53-xmlwriter-5.3.8-0.23.1
     php53-xsl-5.3.8-0.23.1
     php53-zip-5.3.8-0.23.1
     php53-zlib-5.3.8-0.23.1

  - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64):

     apache2-mod_php53-5.3.8-0.23.1
     php53-5.3.8-0.23.1
     php53-bcmath-5.3.8-0.23.1
     php53-bz2-5.3.8-0.23.1
     php53-calendar-5.3.8-0.23.1
     php53-ctype-5.3.8-0.23.1
     php53-curl-5.3.8-0.23.1
     php53-dba-5.3.8-0.23.1
     php53-dom-5.3.8-0.23.1
     php53-exif-5.3.8-0.23.1
     php53-fastcgi-5.3.8-0.23.1
     php53-fileinfo-5.3.8-0.23.1
     php53-ftp-5.3.8-0.23.1
     php53-gd-5.3.8-0.23.1
     php53-gettext-5.3.8-0.23.1
     php53-gmp-5.3.8-0.23.1
     php53-iconv-5.3.8-0.23.1
     php53-intl-5.3.8-0.23.1
     php53-json-5.3.8-0.23.1
     php53-ldap-5.3.8-0.23.1
     php53-mbstring-5.3.8-0.23.1
     php53-mcrypt-5.3.8-0.23.1
     php53-mysql-5.3.8-0.23.1
     php53-odbc-5.3.8-0.23.1
     php53-openssl-5.3.8-0.23.1
     php53-pcntl-5.3.8-0.23.1
     php53-pdo-5.3.8-0.23.1
     php53-pear-5.3.8-0.23.1
     php53-pgsql-5.3.8-0.23.1
     php53-pspell-5.3.8-0.23.1
     php53-shmop-5.3.8-0.23.1
     php53-snmp-5.3.8-0.23.1
     php53-soap-5.3.8-0.23.1
     php53-suhosin-5.3.8-0.23.1
     php53-sysvmsg-5.3.8-0.23.1
     php53-sysvsem-5.3.8-0.23.1
     php53-sysvshm-5.3.8-0.23.1
     php53-tokenizer-5.3.8-0.23.1
     php53-wddx-5.3.8-0.23.1
     php53-xmlreader-5.3.8-0.23.1
     php53-xmlrpc-5.3.8-0.23.1
     php53-xmlwriter-5.3.8-0.23.1
     php53-xsl-5.3.8-0.23.1
     php53-zip-5.3.8-0.23.1
     php53-zlib-5.3.8-0.23.1


References:

  http://support.novell.com/security/cve/CVE-2011-4153.html
  http://support.novell.com/security/cve/CVE-2012-0057.html
  http://support.novell.com/security/cve/CVE-2012-0807.html
  http://support.novell.com/security/cve/CVE-2012-0831.html
  https://bugzilla.novell.com/741520
  https://bugzilla.novell.com/741859
  https://bugzilla.novell.com/743308
  https://bugzilla.novell.com/746661
  https://bugzilla.novell.com/749111
  http://download.novell.com/patch/finder/?keywords=5921434f37058d8a8c2271862091b332
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.