php-5.4.16-48.el7
エラータID: AXSA:2020-019:01
リリース日:
2020/04/24 Friday - 11:31
題名:
php-5.4.16-48.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- PHP の ext/phar/phar_object.c には .phar ファイルに対するリクエストの
リクエストデータによって、PHAR 403 と PHAR 404 エラーページで反射型 XSS を引き起こす脆弱性があります。
注: この脆弱性は CVE-2018-5712 に対する不完全な修正による脆弱性となります。(CVE-2018-10547)
- PHP には .phar ファイルに対するリクエストの URL によって PHAR 404 エラーページで反射型 XSS を
引き起こす脆弱性があります。(CVE-2018-5712)
- PHP の ext/standard/http_fopen_wrapper.c の php_stream_url_wrap_http_ex 関数には
HTTP レスポンスをパースする際にスタックベースのバッファアンダーリードの脆弱性があります。
(CVE-2018-7584)
- PHP の ext/xmlrpc/libxmlrpc/base64.c の base64_decode_xmlrpc には、xmlrpc_decode()
関数で、悪意のある XMLRPC サーバが PHP に割り当てられた領域外のメモリを読み込ませる
脆弱性があります。(CVE-2019-9024)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2018-10547
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
An issue was discovered in ext/phar/phar_object.c in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. There is Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2018-5712.
CVE-2018-5712
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.
CVE-2018-7584
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and 7.2.x through 7.2.2, there is a stack-based buffer under-read while parsing an HTTP response in the php_stream_url_wrap_http_ex function in ext/standard/http_fopen_wrapper.c. This subsequently results in copying a large string.
CVE-2019-9024
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. xmlrpc_decode() can allow a hostile XMLRPC server to cause PHP to read memory outside of allocated areas in base64_decode_xmlrpc in ext/xmlrpc/libxmlrpc/base64.c.
追加情報:
N/A
ダウンロード:
SRPMS
- php-5.4.16-48.el7.src.rpm
MD5: 22a75b9f1a6f9537182794d1d34de50b
SHA-256: 5b3fb01e9058925a66e7f12f2f4628688f24207d305c289db598aee4c0db8efa
Size: 11.41 MB
Asianux Server 7 for x86_64
- php-5.4.16-48.el7.x86_64.rpm
MD5: 099cb40eab0f438b58dae938141def6f
SHA-256: a418de15a696a2301ce9dc5aed3e4e2b26cdd04ba8cd07c0d822f9a70f254cfb
Size: 1.35 MB - php-bcmath-5.4.16-48.el7.x86_64.rpm
MD5: 386e2087c1c2cc463b981d6debade67b
SHA-256: 654a05c1cb7f248a4ba643c13a3d2a88279780e933e1c043d9f89502706f0083
Size: 57.29 kB - php-cli-5.4.16-48.el7.x86_64.rpm
MD5: 90f7c5c24a86a1e82036321dcd242616
SHA-256: af4a98ee1fc5b45c3ccf8fe33bbb204f7403f9e163633fa962d4fe53b904a5f6
Size: 2.75 MB - php-common-5.4.16-48.el7.x86_64.rpm
MD5: 61cc822be9383f25415edc70a184fa4b
SHA-256: 93bece6b66f6ee48d4925368f2e0219a0fca166f38b3abcde2753b62436efd1c
Size: 564.51 kB - php-gd-5.4.16-48.el7.x86_64.rpm
MD5: ad68cbd43fbf1bef493921c64910966e
SHA-256: 80931a07d1ef45bd3cc8411a3a6132a41ce2fa5297720314b2e49f72df303d46
Size: 127.12 kB - php-ldap-5.4.16-48.el7.x86_64.rpm
MD5: a6fd92ddea94b2565bd40c9ff542005b
SHA-256: 4b13a023514202fd24a884ce7bc15eecea5fab5fdcf4a4d270ea3437f7276e42
Size: 52.24 kB - php-mbstring-5.4.16-48.el7.x86_64.rpm
MD5: a8d3ef1cd4f47f2b6decaf8a14f6d1ce
SHA-256: db1b63778d7b5ef32f36ed20afb8f45bc6f582bebdc428a5954dfeb87840e2b3
Size: 504.72 kB - php-mysql-5.4.16-48.el7.x86_64.rpm
MD5: ea7a8714a29eefac1b11fdf30053aa62
SHA-256: afc7413501c0843ab92253b5be24d2107f9c7a9d2c05bdc7efc20587387f0a21
Size: 100.86 kB - php-odbc-5.4.16-48.el7.x86_64.rpm
MD5: be07ba980f87ce204df62f7fac9962e4
SHA-256: fe6d72903b5655a446dc9db897695262581a0e4fce081db1adc7a3c13a392030
Size: 65.14 kB - php-pdo-5.4.16-48.el7.x86_64.rpm
MD5: 00a636fdec0a42188bc582879029b04e
SHA-256: f799d3579b109bbb353fa49b4ee3d072d4bdc4dcac7e59e14fc76888a75c7aa3
Size: 98.48 kB - php-pgsql-5.4.16-48.el7.x86_64.rpm
MD5: 0df53914fbe9ad2d3ebcfb0ebfc0a139
SHA-256: 1398c706ced7904731fb4963cfea6d0728373e2f2438807af30560c42dc0cfa8
Size: 85.85 kB - php-process-5.4.16-48.el7.x86_64.rpm
MD5: e429d2f627dcbc700958293e09784982
SHA-256: 1dd1a73779467d9e569aed511087f54d0bf97098fc9e845eb79a72eccfc19326
Size: 55.57 kB - php-recode-5.4.16-48.el7.x86_64.rpm
MD5: 11d99f499e3671d3adde1c099577051e
SHA-256: cb2bbec4b086ab8a5e733218ce704ef25f58ac9ab8ccf224d67d6c9bd7eb1484
Size: 38.20 kB - php-soap-5.4.16-48.el7.x86_64.rpm
MD5: 06beac0559b499aefc52564ca9096ca6
SHA-256: 326f5da265ba9d4ebbafff3871fb96eb37ff9087d087b285bc23024be3a47500
Size: 158.34 kB - php-xml-5.4.16-48.el7.x86_64.rpm
MD5: 5801e3324546203309d142ef2a07d2e1
SHA-256: 89cd33d72692a81bd3e05000270d45513045d81bdfa07f54c54dc35b08d1219d
Size: 125.40 kB - php-xmlrpc-5.4.16-48.el7.x86_64.rpm
MD5: db205e9f3776b69ba74db14cd32c6687
SHA-256: 4d4eedc3ab04ee96087ac95f195c3db24bbfc5fbc1febee3747e720ca23dd37e
Size: 67.85 kB
English