php-5.3.3-22.AXS4
エラータID: AXSA:2013-117:01
リリース日:
2013/03/06 Wednesday - 12:08
題名:
php-5.3.3-22.AXS4
影響のあるチャネル:
Asianux Server 4 for x86
Asianux Server 4 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- PHP の main/SAPI.c の sapi_header_op 関数は %0D シーケンス (復帰文字) をチェックしておらず,巧妙に細工された URL によって,リモートの攻撃者が HTTP response-splitting 保護メカニズムを迂回する脆弱性があります。(CVE-2011-1398)
- PHP は環境変数のインポート中に magic_quotes_gpc ディレクティブに一時的な変更を適切に行っておらず,巧妙に細工されたリクエストによって,リモートの攻撃者が SQL インジェクション攻撃を行いやすくする脆弱性があります。(CVE-2012-0831)
- PHP の stream 実装の _php_stream_scandir 関数には詳細不明の脆弱性が存在し,"overflow" に関連した不明な影響とリモートからの攻撃が行われる脆弱性があります。(CVE-2012-2688)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2012-2688
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."
Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow."
CVE-2012-0831
PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.
PHP before 5.3.10 does not properly perform a temporary change to the magic_quotes_gpc directive during the importing of environment variables, which makes it easier for remote attackers to conduct SQL injection attacks via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, and sapi/fpm/fpm/fpm_main.c.
CVE-2011-1398
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
The sapi_header_op function in main/SAPI.c in PHP before 5.3.11 and 5.4.x before 5.4.0RC2 does not check for %0D sequences (aka carriage return characters), which allows remote attackers to bypass an HTTP response-splitting protection mechanism via a crafted URL, related to improper interaction between the PHP header function and certain browsers, as demonstrated by Internet Explorer and Google Chrome.
追加情報:
N/A
ダウンロード:
SRPMS
- php-5.3.3-22.AXS4.src.rpm
MD5: 4e376b5e3abbba9b2eaee8ec4f852455
SHA-256: 868d810c3a4689b7dd44903bd5c897f49cf51542764d1a4377f52ddd05794562
Size: 10.34 MB
Asianux Server 4 for x86
- php-5.3.3-22.AXS4.i686.rpm
MD5: 3ea5dd070b5afcf1437d5986b586eaf9
SHA-256: 114a8f040f0cdf2a903c0135c529a1a7cd5ffe5861d541a0d0410d70dea04bff
Size: 1.11 MB - php-bcmath-5.3.3-22.AXS4.i686.rpm
MD5: cdeef18d35130625f5ca89bdb2d1a3d1
SHA-256: ecfd83e4d775526d00517c1bf4e495b6436f00a6a2f5d9bd5b2f7813a807c9ba
Size: 33.41 kB - php-cli-5.3.3-22.AXS4.i686.rpm
MD5: d8b761cfff94f9e2c3d5421d8e50c95e
SHA-256: 81f725ead0503f2d509a145519691fe29010643acab71056f76e388cdec8b9d3
Size: 2.22 MB - php-common-5.3.3-22.AXS4.i686.rpm
MD5: ca57a22a49000510366cd171b23a9232
SHA-256: d48c3ab8ac2a3860820ab8a9d5e92b925b64449d51f4488e7ca56da6bb40138d
Size: 524.23 kB - php-gd-5.3.3-22.AXS4.i686.rpm
MD5: 036790a224802e450fe519090c36cd4e
SHA-256: 92875f4917282dbf26d65c7b454c525915e03783ea592f12d1ab216f64f72d3f
Size: 103.55 kB - php-ldap-5.3.3-22.AXS4.i686.rpm
MD5: e1456bc99e0b2f13b6002845bcb8898a
SHA-256: dc827f32762372446db40103db9a24c9ebe47fc06c203e64c7083d57bce0f7db
Size: 36.43 kB - php-mbstring-5.3.3-22.AXS4.i686.rpm
MD5: 3c6f374c08dac1108cdd6a6ecf4259ce
SHA-256: c57d40e5f949f547176a55ce2362b567ab5be0615b3f8ba66c54a98151ec3117
Size: 453.81 kB - php-mysql-5.3.3-22.AXS4.i686.rpm
MD5: 75961060d38f5cd3cb8cbecf20df8b27
SHA-256: df12870f45ae7df7b07a7dc07a834655c5b6c4d2f1e441120e9f3bba1083fd49
Size: 77.57 kB - php-odbc-5.3.3-22.AXS4.i686.rpm
MD5: 15c32217bb07b6aeb68d4b047e3a2ebd
SHA-256: 9d3a439c053d4703cadc0e4ce5f0a0ecf69f6de7016e76941135a2ff4e3a1f46
Size: 49.02 kB - php-pdo-5.3.3-22.AXS4.i686.rpm
MD5: e1d1c80c2752296a921844e3d84e5fd0
SHA-256: 3d3910a3991bdc4617bfe8b56a43df06dd561bf6c28a94021a2e277cc8bdd416
Size: 73.11 kB - php-pgsql-5.3.3-22.AXS4.i686.rpm
MD5: 427c158fbc6e05d27fcc0faed369b5ac
SHA-256: 1f96f074f17a282335d83742d8592924f65a07d3231808ac258c1b15d20a48d8
Size: 68.02 kB - php-soap-5.3.3-22.AXS4.i686.rpm
MD5: d809bfb2fb418f78643c2e007d46791a
SHA-256: 35d53d2c5d94907b2839ba19f457abdbe735a5fcfd9cf6e75f305927d74e6122
Size: 140.10 kB - php-xml-5.3.3-22.AXS4.i686.rpm
MD5: 7b8e4bb3038304a764752c8f1ef0792e
SHA-256: 950c136868853a1732330e62db801d21b26ec89693024c8d47212e636e3bf912
Size: 100.14 kB - php-xmlrpc-5.3.3-22.AXS4.i686.rpm
MD5: 87898c92f597ec3cf9b8ad4ddd8e16db
SHA-256: dd634c638278eec56b69467279027b3332179f2e837793326e7e67a71583d1b0
Size: 52.17 kB
Asianux Server 4 for x86_64
- php-5.3.3-22.AXS4.x86_64.rpm
MD5: 2aa62ba5e4b8fd2f44b80aca1295b4bc
SHA-256: d61cd833d792ed4e50bf3c69d6563be6559b34cabb61044d47bf84e593d44848
Size: 1.12 MB - php-bcmath-5.3.3-22.AXS4.x86_64.rpm
MD5: 318e7bde46c94073cf719a47c618c368
SHA-256: 5c8bf650371152b29e5d4c35aee96010c2e7c4631da9cdef15353067f372d309
Size: 33.17 kB - php-cli-5.3.3-22.AXS4.x86_64.rpm
MD5: 02aae612504c0d3d6c862f618a72ed96
SHA-256: 48fc6384d7240f4a5366893bd47b4278bafd646165282265ceadb668ccbfb10e
Size: 2.17 MB - php-common-5.3.3-22.AXS4.x86_64.rpm
MD5: dc2b5d90a196334ab7c28337d8bd3baa
SHA-256: 56d9a425b7b200c4986c67b4f525bcaefc70d8b6e4717d302672edfdd2f0d26b
Size: 522.99 kB - php-gd-5.3.3-22.AXS4.x86_64.rpm
MD5: d0144da3f5b734e01705e41ecd1087cd
SHA-256: c1e277294097990cc9497b1b9fcddc7260a88dd512f6a049003e139e6b04c4c4
Size: 104.71 kB - php-ldap-5.3.3-22.AXS4.x86_64.rpm
MD5: af171f89686bba80d35d63a0e102ae7b
SHA-256: 23d9f79c2f386b83a5277ab210533e78bdd882cbc67ceb99d5ae68fe9e284f76
Size: 36.80 kB - php-mbstring-5.3.3-22.AXS4.x86_64.rpm
MD5: 5bcbeb1ec682cdfc636a5d8f0bb0153c
SHA-256: 92c2211964e6511759818098a0c589aa7b7b0c51b16b96a90ed1fbd1474e62e4
Size: 453.74 kB - php-mysql-5.3.3-22.AXS4.x86_64.rpm
MD5: 26cb0506046778f02924601c69338c6a
SHA-256: 53cb5dd77a058f9b5849be795204bb0649fdddc9c2542c959c13931ed968930f
Size: 79.74 kB - php-odbc-5.3.3-22.AXS4.x86_64.rpm
MD5: 098ba0518fe91e2e7ff606b6a51f19a5
SHA-256: 0055c7e0cac9a71e7839f9a8d51695c0480e2c067d21e7ecfa5d9f2fa3a4bea3
Size: 49.30 kB - php-pdo-5.3.3-22.AXS4.x86_64.rpm
MD5: e83e793f8e8caa6812afcfb62c60e68b
SHA-256: 1385f5c938e719b26f2ac1bdbd5f1a2ecc102a5c62d1ecd4684be1c78fcd1b82
Size: 73.73 kB - php-pgsql-5.3.3-22.AXS4.x86_64.rpm
MD5: ad14c322fb1e379cb8f0713ee95af0d1
SHA-256: 56e3295e4f6b6fae357205859e6ab80d63ce9dc4d74531a9c2c424e81506f515
Size: 68.75 kB - php-soap-5.3.3-22.AXS4.x86_64.rpm
MD5: cec4758d321ab86b38d429f17c34a2c7
SHA-256: 5b5c3b39aade13b14727784c33218e812137f3e190aa4e3bbfbe721e0ef092bd
Size: 138.61 kB - php-xml-5.3.3-22.AXS4.x86_64.rpm
MD5: 05fd5b852997a4f2210d4cf36450df47
SHA-256: c72d58d00eb4ac27cbf6076a147fbec64de9ddc49f14052253f1bfffe7497d80
Size: 101.75 kB - php-xmlrpc-5.3.3-22.AXS4.x86_64.rpm
MD5: ee29a547f6bc09999d192a4f23fcbcee
SHA-256: c6c08267505a1ebd74881b88f8016e0dd147bc83bc57908018e7507d075c1ded
Size: 51.06 kB