| Description: | Description:
The remote host is missing an update to php5
announced via advisory USN-462-1.
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
Details follow:
A flaw was discovered in the FTP command handler in PHP. Commands were
not correctly filtered for control characters. An attacker could issue
arbitrary FTP commands using specially crafted arguments. (CVE-2007-2509)
Ilia Alshanetsky discovered a buffer overflow in the SOAP request handler
in PHP. Remote attackers could send a specially crafted SOAP request
and execute arbitrary code with web server privileges. (CVE-2007-2510)
Ilia Alshanetsky discovered a buffer overflow in the user filter factory
in PHP. A local attacker could create a specially crafted script and
execute arbitrary code with web server privileges. (CVE-2007-2511)
Gregory Beaver discovered that the PEAR installer did not validate
installation paths. If a user were tricked into installing a malicious
PEAR package, an attacker could overwrite arbitrary files. (CVE-2007-2519)
Solution:
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libapache2-mod-php5 5.1.2-1ubuntu3.8
php-pear 5.1.2-1ubuntu3.8
php5-cgi 5.1.2-1ubuntu3.8
php5-cli 5.1.2-1ubuntu3.8
php5-xmlrpc 5.1.2-1ubuntu3.8
Ubuntu 6.10:
libapache2-mod-php5 5.1.6-1ubuntu2.5
php-pear 5.1.6-1ubuntu2.5
php5-cgi 5.1.6-1ubuntu2.5
php5-cli 5.1.6-1ubuntu2.5
php5-xmlrpc 5.1.6-1ubuntu2.5
Ubuntu 7.04:
libapache2-mod-php5 5.2.1-0ubuntu1.2
php-pear 5.2.1-0ubuntu1.2
php5-cgi 5.2.1-0ubuntu1.2
php5-cli 5.2.1-0ubuntu1.2
php5-xmlrpc 5.2.1-0ubuntu1.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
http://www.securityspace.com/smysecure/catid.html?in=USN-462-1
Risk factor : High
CVSS Score:
7.2
|
