Mandrake Local Security Checks : Mandriva Update for php-phar MDVSA-2011:004 (php-phar)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.831305

Categoría: Mandrake Local Security Checks

Título: Mandriva Update for php-phar MDVSA-2011:004 (php-phar)

Resumen: The remote host is missing an update for the 'php-phar'; package(s) announced via the referenced advisory.

Descripción: Summary:
The remote host is missing an update for the 'php-phar'
package(s) announced via the referenced advisory.

Vulnerability Insight:
A vulnerability has been found and corrected in php-phar:

Multiple format string vulnerabilities in the phar extension in PHP
5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive
information (memory contents) and possibly execute arbitrary code
via a crafted phar:// URI that is not properly handled by the (1)
phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or
(4) phar_wrapper_open_url functions in ext/phar/stream.c, and the (5)
phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers
errors in the php_stream_wrapper_log_error function (CVE-2010-2094).

The updated packages have been upgraded to the latest version (2.0.0)
and patched to correct this issue.

Affected Software/OS:
php-phar on Mandriva Enterprise Server 5,
Mandriva Enterprise Server 5/X86_64

Solution:
Please Install the Updated Packages.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2010-2094
http://www.mandriva.com/security/advisories?name=MDVSA-2011:004
http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html
http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html
http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html
http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html
http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html
SuSE Security Announcement: SUSE-SR:2010:017 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
SuSE Security Announcement: SUSE-SR:2010:018 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html
http://www.vupen.com/english/advisories/2011/0068

Copyright Copyright (C) 2011 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.831305
Categoría:	Mandrake Local Security Checks
Título:	Mandriva Update for php-phar MDVSA-2011:004 (php-phar)
Resumen:	The remote host is missing an update for the 'php-phar'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'php-phar' package(s) announced via the referenced advisory. Vulnerability Insight: A vulnerability has been found and corrected in php-phar: Multiple format string vulnerabilities in the phar extension in PHP 5.3 before 5.3.2 allow context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the (1) phar_stream_flush, (2) phar_wrapper_unlink, (3) phar_parse_url, or (4) phar_wrapper_open_url functions in ext/phar/stream.c, and the (5) phar_wrapper_open_dir function in ext/phar/dirstream.c, which triggers errors in the php_stream_wrapper_log_error function (CVE-2010-2094). The updated packages have been upgraded to the latest version (2.0.0) and patched to correct this issue. Affected Software/OS: php-phar on Mandriva Enterprise Server 5, Mandriva Enterprise Server 5/X86_64 Solution: Please Install the Updated Packages. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2010-2094 http://www.mandriva.com/security/advisories?name=MDVSA-2011:004 http://php-security.org/2010/05/14/mops-2010-024-php-phar_stream_flush-format-string-vulnerability/index.html http://php-security.org/2010/05/14/mops-2010-025-php-phar_wrapper_open_dir-format-string-vulnerability/index.html http://php-security.org/2010/05/14/mops-2010-026-php-phar_wrapper_unlink-format-string-vulnerability/index.html http://php-security.org/2010/05/14/mops-2010-027-php-phar_parse_url-format-string-vulnerabilities/index.html http://php-security.org/2010/05/14/mops-2010-028-php-phar_wrapper_open_url-format-string-vulnerabilities/index.html SuSE Security Announcement: SUSE-SR:2010:017 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html SuSE Security Announcement: SUSE-SR:2010:018 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html http://www.vupen.com/english/advisories/2011/0068
Copyright	Copyright (C) 2011 Greenbone AG