Bug 1743 - Multiple vulnerabilities has been discovered and corrected in php
: Multiple vulnerabilities has been discovered and corrected in php
Status: RESOLVED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Marathon
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-02 06:45 MSK by Zombie Ryushu
Modified: 2013-03-14 02:57 MSK (History)
5 users (show)

See Also:
RPM Package: php
ISO-related:
Bad POT generating:
Upstream:
alexander.petryakov: qa_verified+
dmitry.romashkin: secteam_verified+
alex.burmashev: published+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2013-03-02 06:45:11 MSK
PHP does not validate the configration directive soap.wsdl_cache_dir
before writing SOAP wsdl cache files to the filesystem. Thus an
attacker is able to write remote wsdl files to arbitrary locations
(CVE-2013-1635).

PHP allows the use of external entities while parsing SOAP wsdl
files which allows an attacker to read arbitrary files. If a web
application unserializes user-supplied data and tries to execute
any method of it, an attacker can send serialized SoapClient
object initialized in non-wsdl mode which will make PHP to parse
automatically remote XML-document specified in the location option
parameter (CVE-2013-1643).

updated packages have been upgraded to the 5.3.22 version which
is not vulnerable to these issues should be produced.

Believe it or not, Mandriva 2011 already has this update deployed. It is the very last Mandriva 2011 update.
Comment 1 Denis Silakov 2013-03-11 17:45:31 MSK
Advisory:

php updated to 5.3.22 which is a bugfix release correcting a dozen of issues. Complete changelog can be found here: http://www.php.net/ChangeLog-5.php (look at 5.3.x series).

Build lists:

(php-ini - should be published before the php itself)
https://abf.rosalinux.ru/build_lists/1016849
https://abf.rosalinux.ru/build_lists/1016833

(php itself)
https://abf.rosalinux.ru/build_lists/1016843
https://abf.rosalinux.ru/build_lists/1016850
Comment 2 Alexander Petryakov 2013-03-12 01:59:46 MSK
Is it correct that apache-mod_php stile 5.3.9-3.1 ?
Comment 3 Zombie Ryushu 2013-03-12 08:27:22 MSK
(In reply to comment #2)
> Is it correct that apache-mod_php stile 5.3.9-3.1 ?

apache-mod_php has to be upgraded.
Comment 4 Denis Silakov 2013-03-12 09:54:37 MSK
Agree, for safety, mod_php should be rebuild with new php. Here is the updated build lists.

Advisory:

php updated to 5.3.22 which is a bugfix release correcting a dozen of issues. Complete changelog can be found here: http://www.php.net/ChangeLog-5.php (look at 5.3.x series).

Build lists:

(php-ini - should be published before the php itself)
https://abf.rosalinux.ru/build_lists/1016849
https://abf.rosalinux.ru/build_lists/1016833

(php itself)
https://abf.rosalinux.ru/build_lists/1016843
https://abf.rosalinux.ru/build_lists/1016850

(apache-mod_php)
https://abf.rosalinux.ru/build_lists/1017113
https://abf.rosalinux.ru/build_lists/1017112
Comment 5 Alexander Petryakov 2013-03-13 01:39:00 MSK
php-5.3.22-0.1
apache-mod_php-5.3.22-1
php-ini-5.3.22-0.1
************** Advisory **************
php updated to 5.3.22 which is a bugfix release correcting a dozen of issues. Complete changelog can be found here: http://www.php.net/ChangeLog-5.php (look at 5.3.x series).
**************************************
QA Verified