Test ID:	1.3.6.1.4.1.25623.1.0.51349
Category:	Conectiva Local Security Checks
Title:	Conectiva Security Advisory CLA-2004:847
Summary:	NOSUMMARY
Description:	Description: The remote host is missing updates announced in advisory CLA-2004:847. PHP[1] is a very popular scripting language used by web servers to offer dynamic content. Stefan Esser noted[2] a vulnerability[3] in php code so that a remote attacker could force php to hit memory_limit in unsafe places which would lead to a possible execution of arbitrary code. He also found[4] out that the strip_tags() function, often used as a validator for user input, could allow tags containing the null char. This announcement also fixes the misinstalation of the CLI interface instead of the CGI one. Thanks to Willian Marcelo Piovezan for the report[5]. Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade' http://www.php.net/ http://security.e-matters.de/advisories/112004.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0595 http://bugzilla.conectiva.com.br/show_bug.cgi?id=11197 http://www.securityspace.com/smysecure/catid.html?in=CLA-2004:847 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002004 Risk factor : High CVSS Score: 6.8
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2004-0594 BugTraq ID: 10725 http://www.securityfocus.com/bid/10725 Bugtraq: 20040713 Advisory 11/2004: PHP memory_limit remote vulnerability (Google Search) http://marc.info/?l=bugtraq&m=108981780109154&w=2 Bugtraq: 20040714 TSSA-2004-013 - php (Google Search) http://marc.info/?l=bugtraq&m=108982983426031&w=2 Bugtraq: 20040722 [OpenPKG-SA-2004.034] OpenPKG Security Advisory (php) (Google Search) http://marc.info/?l=bugtraq&m=109051444105182&w=2 Conectiva Linux advisory: CLA-2004:847 http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000847 Debian Security Information: DSA-531 (Google Search) http://www.debian.org/security/2004/dsa-531 Debian Security Information: DSA-669 (Google Search) http://www.debian.org/security/2005/dsa-669 http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023908.html http://www.gentoo.org/security/en/glsa/glsa-200407-13.xml HPdes Security Advisory: SSRT4777 http://marc.info/?l=bugtraq&m=109181600614477&w=2 http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:068 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10896 http://www.redhat.com/support/errata/RHSA-2004-392.html http://www.redhat.com/support/errata/RHSA-2004-395.html http://www.redhat.com/support/errata/RHSA-2004-405.html http://www.redhat.com/support/errata/RHSA-2005-816.html SuSE Security Announcement: SUSE-SA:2004:021 (Google Search) http://www.novell.com/linux/security/advisories/2004_21_php4.html http://www.trustix.org/errata/2004/0039/ XForce ISS Database: php-memorylimit-code-execution(16693) https://exchange.xforce.ibmcloud.com/vulnerabilities/16693 Common Vulnerability Exposure (CVE) ID: CVE-2004-0595 BugTraq ID: 10724 http://www.securityfocus.com/bid/10724 http://lists.grok.org.uk/pipermail/full-disclosure/2004-July/023909.html https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10619 XForce ISS Database: php-strip-tag-bypass(16692) https://exchange.xforce.ibmcloud.com/vulnerabilities/16692
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.