news 28 Posted September 24, 2012 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201209-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: PHP: Multiple vulnerabilities Date: September 24, 2012 Bugs: #384301, #396311, #396533, #399247, #399567, #399573, #401997, #410957, #414553, #421489, #427354, #429630 ID: 201209-03 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in PHP, the worst of which lead to remote execution of arbitrary code. Background ========== PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-lang/php < 5.3.15 >= 5.3.15 < 5.4.5 >= 5.4.5 ------------------------------------------------------------------- # Package 1 only applies to users of these architectures: arm Description =========== Multiple vulnerabilities have been discovered in PHP. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could execute arbitrary code with the privileges of the process, cause a Denial of Service condition, obtain sensitive information, create arbitrary files, conduct directory traversal attacks, bypass protection mechanisms, or perform further attacks with unspecified impact. Workaround ========== There is no known workaround at this time. Resolution ========== All PHP users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.15" All PHP users on ARM should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.5" References ========== [ 1 ] CVE-2011-1398 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1398 [ 2 ] CVE-2011-3379 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3379 [ 3 ] CVE-2011-4566 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4566 [ 4 ] CVE-2011-4885 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4885 [ 5 ] CVE-2012-0057 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0057 [ 6 ] CVE-2012-0788 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0788 [ 7 ] CVE-2012-0789 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0789 [ 8 ] CVE-2012-0830 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0830 [ 9 ] CVE-2012-0831 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0831 [ 10 ] CVE-2012-1172 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1172 [ 11 ] CVE-2012-1823 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1823 [ 12 ] CVE-2012-2143 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143 [ 13 ] CVE-2012-2311 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2311 [ 14 ] CVE-2012-2335 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2335 [ 15 ] CVE-2012-2336 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2336 [ 16 ] CVE-2012-2386 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2386 [ 17 ] CVE-2012-2688 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2688 [ 18 ] CVE-2012-3365 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3365 [ 19 ] CVE-2012-3450 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3450 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201209-03.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security ( -at -) gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 Share this post Link to post