Mandrake Local Security Checks : Mandriva Security Advisory MDVSA-2011:004 (php-phar)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.68733

Categoría: Mandrake Local Security Checks

Título: Mandriva Security Advisory MDVSA-2011:004 (php-phar)

Resumen: NOSUMMARY

Descripción: Description:
The remote host is missing an update to php-phar
announced via advisory MDVSA-2011:004.

A vulnerability has been found and corrected in php-phar:

Multiple format string vulnerabilities in the phar extension in PHP
5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code
via a crafted phar:// URI that is not properly handled by the (1)
phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or
(4) phar_wrapper_open_url functions in ext/phar/stream.c
and the (5)
phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers
errors in the php_stream_wrapper_log_error function (CVE-2010-2094).

The updated packages have been upgraded to the latest version (2.0.0)
and patched to correct this issue.

Affected: Enterprise Server 5.0

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2011:004

Risk factor : High

CVSS Score:
6.8

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2010-2094
http://www.mandriva.com/security/advisories?name=MDVSA-2011:004
http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html
http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html
http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html
http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html
http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html
SuSE Security Announcement: SUSE-SR:2010:017 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
SuSE Security Announcement: SUSE-SR:2010:018 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html
http://www.vupen.com/english/advisories/2011/0068

Copyright Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.68733
Categoría:	Mandrake Local Security Checks
Título:	Mandriva Security Advisory MDVSA-2011:004 (php-phar)
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing an update to php-phar announced via advisory MDVSA-2011:004. A vulnerability has been found and corrected in php-phar: Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function (CVE-2010-2094). The updated packages have been upgraded to the latest version (2.0.0) and patched to correct this issue. Affected: Enterprise Server 5.0 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2011:004 Risk factor : High CVSS Score: 6.8
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2010-2094 http://www.mandriva.com/security/advisories?name=MDVSA-2011:004 http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html SuSE Security Announcement: SUSE-SR:2010:017 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html SuSE Security Announcement: SUSE-SR:2010:018 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html http://www.vupen.com/english/advisories/2011/0068
Copyright	Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com