Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:
Category:Red Hat Local Security Checks
Title:RedHat Update for php RHSA-2013:1615-02
Summary:The remote host is missing an update for the 'php'; package(s) announced via the referenced advisory.
The remote host is missing an update for the 'php'
package(s) announced via the referenced advisory.

Vulnerability Insight:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

It was found that PHP did not properly handle file names with a NULL
character. A remote attacker could possibly use this flaw to make a PHP
script access unexpected files and bypass intended file system access
restrictions. (CVE-2006-7243)

A flaw was found in PHP's SSL client's hostname identity check when
handling certificates that contain hostnames with NULL bytes. If an
attacker was able to get a carefully crafted certificate signed by a
trusted Certificate Authority, the attacker could use the certificate to
conduct man-in-the-middle attacks to spoof SSL servers. (CVE-2013-4248)

It was found that the PHP SOAP parser allowed the expansion of external XML
entities during SOAP message parsing. A remote attacker could possibly use
this flaw to read arbitrary files that are accessible to a PHP application
using a SOAP extension. (CVE-2013-1643)

This update fixes the following bugs:

* Previously, when the allow_call_time_pass_reference setting was disabled,
a virtual host on the Apache server could terminate with a segmentation
fault when attempting to process certain PHP content. This bug has been
fixed and virtual hosts no longer crash when allow_call_time_pass_reference
is off. (BZ#892158, BZ#910466)

* Prior to this update, if an error occurred during the operation of the
fclose(), file_put_contents(), or copy() function, the function did not
report it. This could have led to data loss. With this update, the
aforementioned functions have been modified to properly report any errors.

* The internal buffer for the SQLSTATE error code can store maximum of 5
characters. Previously, when certain calls exceeded this limit, a buffer
overflow occurred. With this update, messages longer than 5 characters are
automatically replaced with the default 'HY000' string, thus preventing the
overflow. (BZ#969110)

In addition, this update adds the following enhancement:

* This update adds the following rpm macros to the php package: %__php,
%php_inidir, %php_incldir. (BZ#953814)

Users of php are advised to upgrade to these updated packages, which fix
these bugs and add this enhancement. After installing the updated packages,
the httpd daemon must be restarted for the update to take effect.

Affected Software/OS:
php on Red Hat Enterprise Linux Server (v. 6),
Red Hat Enterprise Linux Workstation (v. 6)

Please Install the Updated Packages.

CVSS Score:

CVSS Vector:

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2006-7243
BugTraq ID: 44951
HPdes Security Advisory: HPSBOV02763
HPdes Security Advisory: HPSBUX02741
HPdes Security Advisory: SSRT100728
HPdes Security Advisory: SSRT100826
RedHat Security Advisories: RHSA-2013:1307
RedHat Security Advisories: RHSA-2013:1615
RedHat Security Advisories: RHSA-2014:0311
Common Vulnerability Exposure (CVE) ID: CVE-2013-1643
Debian Security Information: DSA-2639 (Google Search)
SuSE Security Announcement: SUSE-SU-2013:1285 (Google Search)
SuSE Security Announcement: SUSE-SU-2013:1315 (Google Search)
Common Vulnerability Exposure (CVE) ID: CVE-2013-4248
BugTraq ID: 61776
Debian Security Information: DSA-2742 (Google Search)
HPdes Security Advisory: HPSBUX03150
SuSE Security Announcement: openSUSE-SU-2013:1963 (Google Search)
SuSE Security Announcement: openSUSE-SU-2013:1964 (Google Search)
CopyrightCopyright (C) 2013 Greenbone Networks GmbH

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

© 1998-2021 E-Soft Inc. All rights reserved.