Rapid7 Vulnerability & Exploit Database

RHSA-2011:0195: php security update

Back to Search

RHSA-2011:0195: php security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
11/12/2010
Created
07/25/2018
Added
02/10/2011
Modified
07/04/2017

Description

PHP is an HTML-embedded scripting language commonly used with the ApacheHTTP Server.A flaw was found in the way PHP converted certain floating point valuesfrom string representation to a number. If a PHP script evaluated anattacker's input in a numeric context, the PHP interpreter could cause highCPU usage until the script execution time limit is reached. This issue onlyaffected i386 systems. (CVE-2010-4645)A numeric truncation error and an input validation flaw were found in theway the PHP utf8_decode() function decoded partial multi-byte sequencesfor some multi-byte encodings, sending them to output without them beingescaped. An attacker could use these flaws to perform a cross-sitescripting attack. (CVE-2009-5016, CVE-2010-3870)A NULL pointer dereference flaw was found in the PHPZipArchive::getArchiveComment function. If a script used this function toinspect a specially-crafted ZIP archive file, it could cause the PHPinterpreter to crash. (CVE-2010-3709)All php users should upgrade to these updated packages, which containbackported patches to resolve these issues. After installing the updatedpackages, the httpd daemon must be restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-php
  • redhat-upgrade-php-bcmath
  • redhat-upgrade-php-cli
  • redhat-upgrade-php-common
  • redhat-upgrade-php-dba
  • redhat-upgrade-php-debuginfo
  • redhat-upgrade-php-devel
  • redhat-upgrade-php-embedded
  • redhat-upgrade-php-enchant
  • redhat-upgrade-php-gd
  • redhat-upgrade-php-imap
  • redhat-upgrade-php-intl
  • redhat-upgrade-php-ldap
  • redhat-upgrade-php-mbstring
  • redhat-upgrade-php-mysql
  • redhat-upgrade-php-odbc
  • redhat-upgrade-php-pdo
  • redhat-upgrade-php-pgsql
  • redhat-upgrade-php-process
  • redhat-upgrade-php-pspell
  • redhat-upgrade-php-recode
  • redhat-upgrade-php-snmp
  • redhat-upgrade-php-soap
  • redhat-upgrade-php-tidy
  • redhat-upgrade-php-xml
  • redhat-upgrade-php-xmlrpc
  • redhat-upgrade-php-zts

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;