[security-announce] SUSE-SU-2012:0496-1: important: Security update for PHP5

news · April 12, 2012

SUSE Security Update: Security update for PHP5

______________________________________________________________________________

Announcement ID: SUSE-SU-2012:0496-1

Rating: important

References: #699711 #709549 #713652 #728671 #733590 #735613

#736169 #738221 #741520 #741859 #742273 #742806

#743308 #744966 #746661 #749111

Cross-References: CVE-2011-1072 CVE-2011-1466 CVE-2011-2202

CVE-2011-3182 CVE-2011-4153 CVE-2011-4566

CVE-2011-4885 CVE-2012-0057 CVE-2012-0781

CVE-2012-0788 CVE-2012-0789 CVE-2012-0807

CVE-2012-0830 CVE-2012-0831

Affected Products:

SUSE Linux Enterprise Software Development Kit 11 SP2

SUSE Linux Enterprise Software Development Kit 11 SP1

SUSE Linux Enterprise Server 11 SP2

SUSE Linux Enterprise Server 11 SP1 for VMware

SUSE Linux Enterprise Server 11 SP1

______________________________________________________________________________

An update that solves 14 vulnerabilities and has two fixes

is now available. It includes one version update.

Description:

This update of php5 fixes multiple security flaws:

* CVE-2011-2202: A php5 upload filename injection was

fixed.

* CVE-2011-4566: A integer overflow in the EXIF

extension was fixed that could be used by attackers to

crash the interpreter or potentially read memory

* CVE-2011-3182: Multiple NULL pointer dereferences

were fixed that could lead to crashes

* CVE-2011-1466: An integer overflow in the PHP

calendar extension was fixed that could have led to crashes.

* CVE-2011-1072: A symlink vulnerability in the PEAR

installer could be exploited by local attackers to inject

code.

* CVE-2011-4153: missing checks of return values could

allow remote attackers to cause a denial of service (NULL

pointer dereference)

* CVE-2011-4885: denial of service via hash collisions

* CVE-2012-0057: specially crafted XSLT stylesheets

could allow remote attackers to create arbitrary files with

arbitrary content

* CVE-2012-0781: remote attackers can cause a denial of

service via specially crafted input to an application that

attempts to perform Tidy::diagnose operations

* CVE-2012-0788: applications that use a PDO driver

were prone to denial of service flaws which could be

exploited remotely

* CVE-2012-0789: memory leak in the timezone

functionality could allow remote attackers to cause a

denial of service (memory consumption)

* CVE-2012-0807: a stack based buffer overflow in the

php5 Suhosin extension could allow remote attackers to

execute arbitrary code via a long string that is used in a

Set-Cookie HTTP header

* CVE-2012-0830: this fixes an incorrect fix for

CVE-2011-4885 which could allow remote attackers to execute

arbitrary code via a request containing a large number of

variables

* CVE-2012-0831: temporary changes to the

magic_quotes_gpc directive during the importing of

environment variables is not properly performed which makes

it easier for remote attackers to conduct SQL injections

Also the following bugs have been fixed:

* allow uploading files bigger than 2GB for 64bit

systems [bnc#709549]

* amend README.SUSE to discourage using apache module

with apache2-worker [bnc#728671]

Security Issue references:

* CVE-2011-2202

* CVE-2011-4153

* CVE-2011-4885

* CVE-2012-0057

* CVE-2012-0781

* CVE-2012-0788

* CVE-2012-0789

* CVE-2012-0807

* CVE-2012-0830

* CVE-2012-0831

* CVE-2011-4566

* CVE-2011-3182

* CVE-2011-1466

* CVE-2011-1072

Patch Instructions:

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Software Development Kit 11 SP2:

zypper in -t patch sdksp1-apache2-mod_php5-5964

- SUSE Linux Enterprise Software Development Kit 11 SP1:

zypper in -t patch sdksp1-apache2-mod_php5-5964

- SUSE Linux Enterprise Server 11 SP2:

zypper in -t patch slessp1-apache2-mod_php5-5964

- SUSE Linux Enterprise Server 11 SP1 for VMware:

zypper in -t patch slessp1-apache2-mod_php5-5964

- SUSE Linux Enterprise Server 11 SP1:

zypper in -t patch slessp1-apache2-mod_php5-5964

To bring your system up-to-date, use "zypper patch".

Package List:

- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:

php5-devel-5.2.14-0.7.30.34.1

php5-imap-5.2.14-0.7.30.34.1

php5-ncurses-5.2.14-0.7.30.34.1

php5-posix-5.2.14-0.7.30.34.1

php5-readline-5.2.14-0.7.30.34.1

php5-sockets-5.2.14-0.7.30.34.1

php5-sqlite-5.2.14-0.7.30.34.1

php5-tidy-5.2.14-0.7.30.34.1

- SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64) [New Version: 5.2.14]:

apache2-mod_php5-5.2.14-0.7.30.34.1

php5-5.2.14-0.7.30.34.1

php5-bcmath-5.2.14-0.7.30.34.1

php5-bz2-5.2.14-0.7.30.34.1

php5-calendar-5.2.14-0.7.30.34.1

php5-ctype-5.2.14-0.7.30.34.1

php5-curl-5.2.14-0.7.30.34.1

php5-dba-5.2.14-0.7.30.34.1

php5-dbase-5.2.14-0.7.30.34.1

php5-dom-5.2.14-0.7.30.34.1

php5-exif-5.2.14-0.7.30.34.1

php5-fastcgi-5.2.14-0.7.30.34.1

php5-ftp-5.2.14-0.7.30.34.1

php5-gd-5.2.14-0.7.30.34.1

php5-gettext-5.2.14-0.7.30.34.1

php5-gmp-5.2.14-0.7.30.34.1

php5-hash-5.2.14-0.7.30.34.1

php5-iconv-5.2.14-0.7.30.34.1

php5-json-5.2.14-0.7.30.34.1

php5-ldap-5.2.14-0.7.30.34.1

php5-mbstring-5.2.14-0.7.30.34.1

php5-mcrypt-5.2.14-0.7.30.34.1

php5-mysql-5.2.14-0.7.30.34.1

php5-odbc-5.2.14-0.7.30.34.1

php5-openssl-5.2.14-0.7.30.34.1

php5-pcntl-5.2.14-0.7.30.34.1

php5-pdo-5.2.14-0.7.30.34.1

php5-pear-5.2.14-0.7.30.34.1

php5-pgsql-5.2.14-0.7.30.34.1

php5-pspell-5.2.14-0.7.30.34.1

php5-shmop-5.2.14-0.7.30.34.1

php5-snmp-5.2.14-0.7.30.34.1

php5-soap-5.2.14-0.7.30.34.1

php5-suhosin-5.2.14-0.7.30.34.1

php5-sysvmsg-5.2.14-0.7.30.34.1

php5-sysvsem-5.2.14-0.7.30.34.1

php5-sysvshm-5.2.14-0.7.30.34.1

php5-tokenizer-5.2.14-0.7.30.34.1

php5-wddx-5.2.14-0.7.30.34.1

php5-xmlreader-5.2.14-0.7.30.34.1

php5-xmlrpc-5.2.14-0.7.30.34.1

php5-xmlwriter-5.2.14-0.7.30.34.1

php5-xsl-5.2.14-0.7.30.34.1

php5-zip-5.2.14-0.7.30.34.1

php5-zlib-5.2.14-0.7.30.34.1

- SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:

php5-devel-5.2.14-0.7.30.34.1

php5-imap-5.2.14-0.7.30.34.1

php5-ncurses-5.2.14-0.7.30.34.1

php5-posix-5.2.14-0.7.30.34.1

php5-readline-5.2.14-0.7.30.34.1

php5-sockets-5.2.14-0.7.30.34.1

php5-sqlite-5.2.14-0.7.30.34.1

php5-tidy-5.2.14-0.7.30.34.1

- SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64) [New Version: 5.2.14]:

apache2-mod_php5-5.2.14-0.7.30.34.1

php5-5.2.14-0.7.30.34.1

php5-bcmath-5.2.14-0.7.30.34.1

php5-bz2-5.2.14-0.7.30.34.1

php5-calendar-5.2.14-0.7.30.34.1

php5-ctype-5.2.14-0.7.30.34.1

php5-curl-5.2.14-0.7.30.34.1

php5-dba-5.2.14-0.7.30.34.1

php5-dbase-5.2.14-0.7.30.34.1

php5-dom-5.2.14-0.7.30.34.1

php5-exif-5.2.14-0.7.30.34.1

php5-fastcgi-5.2.14-0.7.30.34.1

php5-ftp-5.2.14-0.7.30.34.1

php5-gd-5.2.14-0.7.30.34.1

php5-gettext-5.2.14-0.7.30.34.1

php5-gmp-5.2.14-0.7.30.34.1

php5-hash-5.2.14-0.7.30.34.1

php5-iconv-5.2.14-0.7.30.34.1

php5-json-5.2.14-0.7.30.34.1

php5-ldap-5.2.14-0.7.30.34.1

php5-mbstring-5.2.14-0.7.30.34.1

php5-mcrypt-5.2.14-0.7.30.34.1

php5-mysql-5.2.14-0.7.30.34.1

php5-odbc-5.2.14-0.7.30.34.1

php5-openssl-5.2.14-0.7.30.34.1

php5-pcntl-5.2.14-0.7.30.34.1

php5-pdo-5.2.14-0.7.30.34.1

php5-pear-5.2.14-0.7.30.34.1

php5-pgsql-5.2.14-0.7.30.34.1

php5-pspell-5.2.14-0.7.30.34.1

php5-shmop-5.2.14-0.7.30.34.1

php5-snmp-5.2.14-0.7.30.34.1

php5-soap-5.2.14-0.7.30.34.1

php5-suhosin-5.2.14-0.7.30.34.1

php5-sysvmsg-5.2.14-0.7.30.34.1

php5-sysvsem-5.2.14-0.7.30.34.1

php5-sysvshm-5.2.14-0.7.30.34.1

php5-tokenizer-5.2.14-0.7.30.34.1

php5-wddx-5.2.14-0.7.30.34.1

php5-xmlreader-5.2.14-0.7.30.34.1

php5-xmlrpc-5.2.14-0.7.30.34.1

php5-xmlwriter-5.2.14-0.7.30.34.1

php5-xsl-5.2.14-0.7.30.34.1

php5-zip-5.2.14-0.7.30.34.1

php5-zlib-5.2.14-0.7.30.34.1

- SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:

apache2-mod_php5-5.2.14-0.7.30.34.1

php5-5.2.14-0.7.30.34.1

php5-bcmath-5.2.14-0.7.30.34.1

php5-bz2-5.2.14-0.7.30.34.1

php5-calendar-5.2.14-0.7.30.34.1

php5-ctype-5.2.14-0.7.30.34.1

php5-curl-5.2.14-0.7.30.34.1

php5-dba-5.2.14-0.7.30.34.1

php5-dbase-5.2.14-0.7.30.34.1

php5-dom-5.2.14-0.7.30.34.1

php5-exif-5.2.14-0.7.30.34.1

php5-fastcgi-5.2.14-0.7.30.34.1

php5-ftp-5.2.14-0.7.30.34.1

php5-gd-5.2.14-0.7.30.34.1

php5-gettext-5.2.14-0.7.30.34.1

php5-gmp-5.2.14-0.7.30.34.1

php5-hash-5.2.14-0.7.30.34.1

php5-iconv-5.2.14-0.7.30.34.1

php5-json-5.2.14-0.7.30.34.1

php5-ldap-5.2.14-0.7.30.34.1

php5-mbstring-5.2.14-0.7.30.34.1

php5-mcrypt-5.2.14-0.7.30.34.1

php5-mysql-5.2.14-0.7.30.34.1

php5-odbc-5.2.14-0.7.30.34.1

php5-openssl-5.2.14-0.7.30.34.1

php5-pcntl-5.2.14-0.7.30.34.1

php5-pdo-5.2.14-0.7.30.34.1

php5-pear-5.2.14-0.7.30.34.1

php5-pgsql-5.2.14-0.7.30.34.1

php5-pspell-5.2.14-0.7.30.34.1

php5-shmop-5.2.14-0.7.30.34.1

php5-snmp-5.2.14-0.7.30.34.1

php5-soap-5.2.14-0.7.30.34.1

php5-suhosin-5.2.14-0.7.30.34.1

php5-sysvmsg-5.2.14-0.7.30.34.1

php5-sysvsem-5.2.14-0.7.30.34.1

php5-sysvshm-5.2.14-0.7.30.34.1

php5-tokenizer-5.2.14-0.7.30.34.1

php5-wddx-5.2.14-0.7.30.34.1

php5-xmlreader-5.2.14-0.7.30.34.1

php5-xmlrpc-5.2.14-0.7.30.34.1

php5-xmlwriter-5.2.14-0.7.30.34.1

php5-xsl-5.2.14-0.7.30.34.1

php5-zip-5.2.14-0.7.30.34.1

php5-zlib-5.2.14-0.7.30.34.1

- SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 5.2.14]:

apache2-mod_php5-5.2.14-0.7.30.34.1

php5-5.2.14-0.7.30.34.1

php5-bcmath-5.2.14-0.7.30.34.1

php5-bz2-5.2.14-0.7.30.34.1

php5-calendar-5.2.14-0.7.30.34.1

php5-ctype-5.2.14-0.7.30.34.1

php5-curl-5.2.14-0.7.30.34.1

php5-dba-5.2.14-0.7.30.34.1

php5-dbase-5.2.14-0.7.30.34.1

php5-dom-5.2.14-0.7.30.34.1

php5-exif-5.2.14-0.7.30.34.1

php5-fastcgi-5.2.14-0.7.30.34.1

php5-ftp-5.2.14-0.7.30.34.1

php5-gd-5.2.14-0.7.30.34.1

php5-gettext-5.2.14-0.7.30.34.1

php5-gmp-5.2.14-0.7.30.34.1

php5-hash-5.2.14-0.7.30.34.1

php5-iconv-5.2.14-0.7.30.34.1

php5-json-5.2.14-0.7.30.34.1

php5-ldap-5.2.14-0.7.30.34.1

php5-mbstring-5.2.14-0.7.30.34.1

php5-mcrypt-5.2.14-0.7.30.34.1

php5-mysql-5.2.14-0.7.30.34.1

php5-odbc-5.2.14-0.7.30.34.1

php5-openssl-5.2.14-0.7.30.34.1

php5-pcntl-5.2.14-0.7.30.34.1

php5-pdo-5.2.14-0.7.30.34.1

php5-pear-5.2.14-0.7.30.34.1

php5-pgsql-5.2.14-0.7.30.34.1

php5-pspell-5.2.14-0.7.30.34.1

php5-shmop-5.2.14-0.7.30.34.1

php5-snmp-5.2.14-0.7.30.34.1

php5-soap-5.2.14-0.7.30.34.1

php5-suhosin-5.2.14-0.7.30.34.1

php5-sysvmsg-5.2.14-0.7.30.34.1

php5-sysvsem-5.2.14-0.7.30.34.1

php5-sysvshm-5.2.14-0.7.30.34.1

php5-tokenizer-5.2.14-0.7.30.34.1

php5-wddx-5.2.14-0.7.30.34.1

php5-xmlreader-5.2.14-0.7.30.34.1

php5-xmlrpc-5.2.14-0.7.30.34.1

php5-xmlwriter-5.2.14-0.7.30.34.1

php5-xsl-5.2.14-0.7.30.34.1

php5-zip-5.2.14-0.7.30.34.1

php5-zlib-5.2.14-0.7.30.34.1

- SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:

apache2-mod_php5-5.2.14-0.7.30.34.1

php5-5.2.14-0.7.30.34.1

php5-bcmath-5.2.14-0.7.30.34.1

php5-bz2-5.2.14-0.7.30.34.1

php5-calendar-5.2.14-0.7.30.34.1

php5-ctype-5.2.14-0.7.30.34.1

php5-curl-5.2.14-0.7.30.34.1

php5-dba-5.2.14-0.7.30.34.1

php5-dbase-5.2.14-0.7.30.34.1

php5-dom-5.2.14-0.7.30.34.1

php5-exif-5.2.14-0.7.30.34.1

php5-fastcgi-5.2.14-0.7.30.34.1

php5-ftp-5.2.14-0.7.30.34.1

php5-gd-5.2.14-0.7.30.34.1

php5-gettext-5.2.14-0.7.30.34.1

php5-gmp-5.2.14-0.7.30.34.1

php5-hash-5.2.14-0.7.30.34.1

php5-iconv-5.2.14-0.7.30.34.1

php5-json-5.2.14-0.7.30.34.1

php5-ldap-5.2.14-0.7.30.34.1

php5-mbstring-5.2.14-0.7.30.34.1

php5-mcrypt-5.2.14-0.7.30.34.1

php5-mysql-5.2.14-0.7.30.34.1

php5-odbc-5.2.14-0.7.30.34.1

php5-openssl-5.2.14-0.7.30.34.1

php5-pcntl-5.2.14-0.7.30.34.1

php5-pdo-5.2.14-0.7.30.34.1

php5-pear-5.2.14-0.7.30.34.1

php5-pgsql-5.2.14-0.7.30.34.1

php5-pspell-5.2.14-0.7.30.34.1

php5-shmop-5.2.14-0.7.30.34.1

php5-snmp-5.2.14-0.7.30.34.1

php5-soap-5.2.14-0.7.30.34.1

php5-suhosin-5.2.14-0.7.30.34.1

php5-sysvmsg-5.2.14-0.7.30.34.1

php5-sysvsem-5.2.14-0.7.30.34.1

php5-sysvshm-5.2.14-0.7.30.34.1

php5-tokenizer-5.2.14-0.7.30.34.1

php5-wddx-5.2.14-0.7.30.34.1

php5-xmlreader-5.2.14-0.7.30.34.1

php5-xmlrpc-5.2.14-0.7.30.34.1

php5-xmlwriter-5.2.14-0.7.30.34.1

php5-xsl-5.2.14-0.7.30.34.1

php5-zip-5.2.14-0.7.30.34.1

php5-zlib-5.2.14-0.7.30.34.1

References:

http://support.novell.com/security/cve/CVE-2011-1072.html

http://support.novell.com/security/cve/CVE-2011-1466.html

http://support.novell.com/security/cve/CVE-2011-2202.html

http://support.novell.com/security/cve/CVE-2011-3182.html

http://support.novell.com/security/cve/CVE-2011-4153.html

http://support.novell.com/security/cve/CVE-2011-4566.html

http://support.novell.com/security/cve/CVE-2011-4885.html

http://support.novell.com/security/cve/CVE-2012-0057.html

http://support.novell.com/security/cve/CVE-2012-0781.html

http://support.novell.com/security/cve/CVE-2012-0788.html

http://support.novell.com/security/cve/CVE-2012-0789.html

http://support.novell.com/security/cve/CVE-2012-0807.html

http://support.novell.com/security/cve/CVE-2012-0830.html

http://support.novell.com/security/cve/CVE-2012-0831.html

https://bugzilla.novell.com/699711

https://bugzilla.novell.com/709549

https://bugzilla.novell.com/713652

https://bugzilla.novell.com/728671

https://bugzilla.novell.com/733590

https://bugzilla.novell.com/735613

https://bugzilla.novell.com/736169

https://bugzilla.novell.com/738221

https://bugzilla.novell.com/741520

https://bugzilla.novell.com/741859

https://bugzilla.novell.com/742273

https://bugzilla.novell.com/742806

https://bugzilla.novell.com/743308

https://bugzilla.novell.com/744966

https://bugzilla.novell.com/746661

https://bugzilla.novell.com/749111

http://download.novell.com/patch/finder/?keywords=778ae960c062031cb692b8c0c4a67400

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

Sign In

[security-announce] SUSE-SU-2012:0496-1: important: Security update for PHP5

Recommended Posts

news 28

Share this post

Link to post

Please sign in to comment

Browse

Activity