| |||||||||||||
| Test ID: | 1.3.6.1.4.1.25623.1.0.66745 |
| Category: | Ubuntu Local Security Checks |
| Title: | Ubuntu USN-882-1 (php5) |
| Summary: | Ubuntu USN-882-1 (php5) |
| Description: | The remote host is missing an update to php5 announced via advisory USN-882-1. Details follow: Maksymilian Arciemowicz discovered that PHP did not properly handle the ini_restore function. An attacker could exploit this issue to obtain random memory contents or to cause the PHP server to crash, resulting in a denial of service. (CVE-2009-2626) It was discovered that the htmlspecialchars function did not properly handle certain character sequences, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2009-4142) Stefan Esser discovered that PHP did not properly handle session data. An attacker could exploit this issue to bypass safe_mode or open_basedir restrictions. (CVE-2009-4143) Solution: The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: php5-cgi 5.1.2-1ubuntu3.18 php5-cli 5.1.2-1ubuntu3.18 Ubuntu 8.04 LTS: php5-cgi 5.2.4-2ubuntu5.10 php5-cli 5.2.4-2ubuntu5.10 Ubuntu 8.10: php5-cgi 5.2.6-2ubuntu4.6 php5-cli 5.2.6-2ubuntu4.6 Ubuntu 9.04: php5-cgi 5.2.6.dfsg.1-3ubuntu4.5 php5-cli 5.2.6.dfsg.1-3ubuntu4.5 Ubuntu 9.10: php5-cgi 5.2.10.dfsg.1-2ubuntu6.4 php5-cli 5.2.10.dfsg.1-2ubuntu6.4 In general, a standard system upgrade is sufficient to effect the necessary changes. http://www.securityspace.com/smysecure/catid.html?in=USN-882-1 Risk factor : Critical |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2009-2626 http://securityreason.com/achievement_securityalert/65 Debian Security Information: DSA-1940 (Google Search) http://www.debian.org/security/2009/dsa-1940 BugTraq ID: 36009 http://www.securityfocus.com/bid/36009 http://secunia.com/advisories/37482 Common Vulnerability Exposure (CVE) ID: CVE-2009-4142 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html Debian Security Information: DSA-2001 (Google Search) http://www.debian.org/security/2010/dsa-2001 HPdes Security Advisory: HPSBUX02543 http://marc.info/?l=bugtraq&m=127680701405735&w=2 HPdes Security Advisory: SSRT100152 BugTraq ID: 37389 http://www.securityfocus.com/bid/37389 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10005 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7085 http://securitytracker.com/id?1023372 http://secunia.com/advisories/37821 http://secunia.com/advisories/38648 http://secunia.com/advisories/40262 http://www.vupen.com/english/advisories/2009/3593 Common Vulnerability Exposure (CVE) ID: CVE-2009-4143 HPdes Security Advisory: HPSBMA02568 http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995 HPdes Security Advisory: SSRT100219 http://www.mandriva.com/security/advisories?name=MDVSA-2010:045 BugTraq ID: 37390 http://www.securityfocus.com/bid/37390 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:7439 http://secunia.com/advisories/41480 http://secunia.com/advisories/41490 |
| Copyright | Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com |
| This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |
|
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois
© 1998-2013 E-Soft Inc. All rights reserved.