| Description: | Summary:
The remote host is missing an update for the Debian 'php4' package(s) announced via the DSA-1264-1 advisory.
Vulnerability Insight:
Several remote vulnerabilities have been discovered in PHP, a server-side, HTML-embedded scripting language, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-0906
It was discovered that an integer overflow in the str_replace() function could lead to the execution of arbitrary code.
CVE-2007-0907
It was discovered that a buffer underflow in the sapi_header_op() function could crash the PHP interpreter.
CVE-2007-0908
Stefan Esser discovered that a programming error in the wddx extension allows information disclosure.
CVE-2007-0909
It was discovered that a format string vulnerability in the odbc_result_all() functions allows the execution of arbitrary code.
CVE-2007-0910
It was discovered that super-global variables could be overwritten with session data.
CVE-2007-0988
Stefan Esser discovered that the zend_hash_init() function could be tricked into an endless loop, allowing denial of service through resource consumption until a timeout is triggered.
For the stable distribution (sarge) these problems have been fixed in version 4:4.3.10-19.
For the unstable distribution (sid) these problems have been fixed in version 6:4.4.4-9 of php4 and version 5.2.0-9 of php5.
We recommend that you upgrade your php4 packages.
Affected Software/OS:
'php4' package(s) on Debian 3.1.
Solution:
Please install the updated package(s).
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
