php-5.1.6-23.2AXS3

エラータID: AXSA:2009-38:01

リリース日: 
2009/04/22 Wednesday - 16:05
題名: 
php-5.1.6-23.2AXS3
影響のあるチャネル: 
Asianux Server 3 for x86_64
Asianux Server 3 for x86
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- PHP の imageloadfont 関数にはバッファオーバーフローが存在し、攻撃者が巧妙に作られたフォントファイルによって、サービス拒否 (クラッシュ) や任意のコードを実行される脆弱性があります。(CVE-2008-3658)

- PHPには FastCGI モジュールを使用している場合、拡張子の前に複数のドットがあるリクエストによってサービス拒否 (クラッシュ) が引き起こされる脆弱性があります。 (CVE-2008-3660)

- PHPの imageRotate 関数には Array index エラーがあり、巧妙に作られた値によって任意のメモリの位置の内容を読み取られる脆弱性があります。(CVE-2008-5498)

- PHPの mbstring extention には Unicode変換中にHTMLのエンティティを適切に扱えない問題があり、HTMLのエンティティに含まれる巧妙に作られた文字列によって任意のコードを実行される脆弱性があります。(CVE-2008-5557)

- PHPには クロスサイトスクリプティング (XSS) の脆弱性があり、display_errors を有効にした場合、リモートの攻撃者が任意の WEBスクリプトあるいは HTML を混入させる問題があります。(CVE-2008-5814)

- Apacheを実行中に、.htaccess内の mbstring.func_overload の設定を変更する
ことによってローカルユーザが同じWEBサーバにある他のサイトの動作を変更
できる脆弱性があります。(CVE-2009-0754)

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2008-3658
Buffer overflow in the imageloadfont function in ext/gd/gd.c in PHP 4.4.x before 4.4.9 and PHP 5.2 before 5.2.6-r6 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVE-2008-3660
PHP 4.4.x before 4.4.9, and 5.x through 5.2.6, when used as a FastCGI module, allows remote attackers to cause a denial of service (crash) via a request with multiple dots preceding the extension, as demonstrated using foo..php.
CVE-2008-5498
Array index error in the imageRotate function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the bgd_color or clrBack argument) for an indexed image.
CVE-2008-5557
Heap-based buffer overflow in ext/mbstring/libmbfl/filters/mbfilter_htmlent.c in the mbstring extension in PHP 4.3.0 through 5.2.6 allows context-dependent attackers to execute arbitrary code via a crafted string containing an HTML entity, which is not properly handled during Unicode conversion, related to the (1) mb_convert_encoding, (2) mb_check_encoding, (3) mb_convert_variables, and (4) mb_parse_str functions.
CVE-2008-5814
Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and earlier, when display_errors is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: because of the lack of details, it is unclear whether this is related to CVE-2006-0208.
CVE-2009-0754
PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows local users to modify behavior of other sites hosted on the same web server by modifying the mbstring.func_overload setting within .htaccess, which causes this setting to be applied to other virtual hosts on the same server.




追加情報: 

N/A

ダウンロード: 

SRPMS
  1. php-5.1.6-23.2AXS3.src.rpm
    MD5: 1645973043005ebc9be1f870bb7af88e
    SHA-256: 3f60c0596c92f35ff3c36926ca68e4cc9635905339a91d0b241da08e92326e75
    Size: 7.99 MB

Asianux Server 3 for x86
  1. php-5.1.6-23.2AXS3.i386.rpm
    MD5: 155ca4acb29a879d6c3b33cb1a0cbe8b
    SHA-256: 81724c0199123c5a28a273aacc17cfc7b62ad507bf54fd4a893910b18ad4e216
    Size: 1.16 MB
  2. php-bcmath-5.1.6-23.2AXS3.i386.rpm
    MD5: 571cff46cece5d9639d7c5812585afee
    SHA-256: 3a638bc39516916bf230e7a5e0d2d18bc83b250bed65fad021aa1e64e39644fd
    Size: 34.11 kB
  3. php-cli-5.1.6-23.2AXS3.i386.rpm
    MD5: 5d5efc43ab580b8e00a98e2a814edda2
    SHA-256: f1406eaeb7f084df4913f5057b73b35101aeda9720b6b9b327d92b44929b494b
    Size: 2.13 MB
  4. php-common-5.1.6-23.2AXS3.i386.rpm
    MD5: 679928d5b539bfa96aa2428e97cbe48d
    SHA-256: bc4ae77f5babf46c9cbffe2b5d03e14f4e27d4cddb7b2d78cf6e7a13202003d0
    Size: 155.02 kB
  5. php-dba-5.1.6-23.2AXS3.i386.rpm
    MD5: e2478b4d7807c240181ded9dab7d70fc
    SHA-256: 9ca04303a24e2d7166b08e41f761b4b2459fadb0cb5b5294673ef3a0ebaab8b3
    Size: 41.10 kB
  6. php-devel-5.1.6-23.2AXS3.i386.rpm
    MD5: 53bb6c698215fd651bc239bf4cf20fe9
    SHA-256: b56500fa7f32db3902757016e2686b7994f6a48ccab00949c3ee0b7d1215e191
    Size: 520.39 kB
  7. php-gd-5.1.6-23.2AXS3.i386.rpm
    MD5: 46efe3f2f53010d065b50e7794d3363f
    SHA-256: d483747a1e07d0d0459377a947f0aa629a96b65b09de79487076c4f977939f9d
    Size: 116.05 kB
  8. php-imap-5.1.6-23.2AXS3.i386.rpm
    MD5: f641b988670bc740425fcca02d82e457
    SHA-256: 44e502c50cd0b2457c716d4d7cc2da5115af8d355787a5f9604f9c9c71874774
    Size: 53.90 kB
  9. php-ldap-5.1.6-23.2AXS3.i386.rpm
    MD5: 4b02191b3f731b843c594106c992ed44
    SHA-256: fff49b64e71964f6a676f06f5cefdb92bc9fcf847d3f1454ceb7eff3b3c38be3
    Size: 36.48 kB
  10. php-mbstring-5.1.6-23.2AXS3.i386.rpm
    MD5: c9519ff8857d91d74f58730686770cc3
    SHA-256: b700bcff275158d8bd6ed1daf8a1f70df51ff11776f7daafb677f3fc5ecb154d
    Size: 1.03 MB
  11. php-mysql-5.1.6-23.2AXS3.i386.rpm
    MD5: 4c46295c6005e6214177b8017e0d6544
    SHA-256: 2b1982e7a93b8c8993b9faa6b5b925de02208e8bbcc93b45793fc280854709c5
    Size: 85.51 kB
  12. php-ncurses-5.1.6-23.2AXS3.i386.rpm
    MD5: c9e4dc56f3315283578af9c6fded8226
    SHA-256: 079d1077fdd1a1aa23b425d2c6781be2d99bdff7e32a2e584cd9616513371ba6
    Size: 40.91 kB
  13. php-oci8-5.1.6-23.2AXS3.i386.rpm
    MD5: c40c6ebdc1ea39abad7aab75adbf9d97
    SHA-256: 576c6c2ad43b88bd35561072a1723244802b6dca9e5710fb47b2410e50c47571
    Size: 72.74 kB
  14. php-odbc-5.1.6-23.2AXS3.i386.rpm
    MD5: b8b628fc1e5abaa562b3e8f3f4eb69a2
    SHA-256: 31f6731d3909c539f2dcc2f09ea069bab3818425f213d615d3af930ae80fdfac
    Size: 52.97 kB
  15. php-pdo-5.1.6-23.2AXS3.i386.rpm
    MD5: 8d813d57b9ed0613dcbd466bc5d61b9d
    SHA-256: 4db01d39d34e8f4898d2b4043a3aad0d9d79024d685ab63db3064e1704a95cd2
    Size: 64.11 kB
  16. php-pgsql-5.1.6-23.2AXS3.i386.rpm
    MD5: 0939510360a2ca5ef01c8ab368b6aa76
    SHA-256: d5182113e3a6c799a87b628975704b24af9680dc68f0704cb36940aed394d480
    Size: 67.49 kB
  17. php-snmp-5.1.6-23.2AXS3.i386.rpm
    MD5: 8666eb7bde55d545c361c6f22aa8e8a2
    SHA-256: a78aba621d85c3f652443665b61b03e70872828c5ccb767548cb7588535b98cb
    Size: 29.51 kB
  18. php-soap-5.1.6-23.2AXS3.i386.rpm
    MD5: eddee04367609b65abdd55081a290472
    SHA-256: 968bffaea971b042de5ed70c2b75d97e2bb13cb335f409d30dbd1ea63b67e931
    Size: 138.69 kB
  19. php-xml-5.1.6-23.2AXS3.i386.rpm
    MD5: 7841a8ada350b7552d63bbeb7a76a555
    SHA-256: 412db6517a8553a154c95be6cb97895aadec624687f91d3e3da3e656912d6f27
    Size: 96.41 kB
  20. php-xmlrpc-5.1.6-23.2AXS3.i386.rpm
    MD5: ab8c8c8ad7d73646088d05ec7220c170
    SHA-256: 5b3d4ad3a4e6ff8f869f168e91ddb91f78c8bab02f1330d472f29eb76ed17f49
    Size: 56.64 kB

Asianux Server 3 for x86_64
  1. php-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 926a957b6685e47de0bc5cc685c0cf92
    SHA-256: 24251b8309c56e2984c1efede86cff569e919af6dc7aeb53a5b3a67dc0006c22
    Size: 1.18 MB
  2. php-bcmath-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 45cd8ba7b281835d4aaf84295ec3347a
    SHA-256: 0a254f0c087d3a09d26d1492e4a26c934bbb7de5c223de332f7e1bc24bfd9c21
    Size: 34.34 kB
  3. php-cli-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 64254856c9116b35e68d372fd1ce6d69
    SHA-256: 654d52ab3ed3ef3698f4dd5cf5bf2b93a381faed33208e04f92495f74e41bcb7
    Size: 2.20 MB
  4. php-common-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 1eba50a9ec75ca60f7a85fbc92dea3db
    SHA-256: ed9d6fe460bdc1698287fb587a997859180878b8da4feea11b863009f574f5c4
    Size: 155.84 kB
  5. php-dba-5.1.6-23.2AXS3.x86_64.rpm
    MD5: badb58169296044af0c2bdcd9a415e61
    SHA-256: c8f241525563323dad5d36a4691203d3069dffc8510155a2ac49e0c1fac820fa
    Size: 41.22 kB
  6. php-devel-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 6afa93dd25fbe5779edf65b53693efae
    SHA-256: 57e8dc8296a7be6c682933cd62ff35c656f3f902efc0c1efff6c103df81ee672
    Size: 520.68 kB
  7. php-gd-5.1.6-23.2AXS3.x86_64.rpm
    MD5: cfb150cdb99eeb5b7c9c9a21972d2b89
    SHA-256: cc5ead9696d30fd8ee784b751554fada3a4113c39025fae37713f9dc1bb5d482
    Size: 116.72 kB
  8. php-imap-5.1.6-23.2AXS3.x86_64.rpm
    MD5: e96d4c04cc316c22a07babbc558febe4
    SHA-256: e282a18fbff71cbddab39b1ced8587d01c9aee8abd604ce1676b9ee48496e306
    Size: 53.94 kB
  9. php-ldap-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 337f97d6029506ad52e408a039b5da18
    SHA-256: 26be708c15cd2ebf2341e0c9eb514c701b7c3ac78fd1eebe9321cf4a3f08c6e2
    Size: 37.27 kB
  10. php-mbstring-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 4e8cb5dd338fd586a6a469299ab7459b
    SHA-256: daa96d36d9d780751f04730068c205e86e3581528872e0df422fe2a2a6f69f25
    Size: 1.04 MB
  11. php-mysql-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 3ac4c6b77d1c67f44663ae087f63c0ea
    SHA-256: 857640514fb8444a2acd28c6dcf3b9eaa317ba46915c2d099f4c316d30c2907c
    Size: 88.57 kB
  12. php-ncurses-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 9c044038fa1101212e7ac9c64b04b150
    SHA-256: be0342d89aab975cfd31ea56623c25d18e96da7b7ee83fec32ef47ff2d21a243
    Size: 42.04 kB
  13. php-oci8-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 291da9b447455f394751513a8c9a3f5d
    SHA-256: ac99f3ff0b36f35d472bc908aa7233e8dcc78f590402e4c322ee2d77cfaf29c1
    Size: 71.38 kB
  14. php-odbc-5.1.6-23.2AXS3.x86_64.rpm
    MD5: a5d8566db3c6083a25215ce634ea6661
    SHA-256: c67e14be9e969605219aa90903582e59fc8ff138a0b856ced5b4d4b84e1e0344
    Size: 54.00 kB
  15. php-pdo-5.1.6-23.2AXS3.x86_64.rpm
    MD5: f7f307f3225aaeb490c80479c5e224b8
    SHA-256: c512ea6f29cd074092c193d697aec5832c40e4055f644afcb3c726cc80d51442
    Size: 65.62 kB
  16. php-pgsql-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 560425c3fda59f179c56a3b1badcf4c2
    SHA-256: c06f74de0349a7f699ba69b3935eb0bd1194dae0da8688dd1aefa229beacbc58
    Size: 69.46 kB
  17. php-snmp-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 37bde6ff9d099c6fe493aa74cfb5fae2
    SHA-256: 0a2226f4d98043d6b171e8fbb4124e782edb9e37b1366abb9d99b4d24b294f3f
    Size: 29.99 kB
  18. php-soap-5.1.6-23.2AXS3.x86_64.rpm
    MD5: b2f95ed2a5ba9b6e7355493b7ea8e0bd
    SHA-256: 06369a55b1eca03bbdfc1e025261fca82b1bc6a7380f1b0bb09350ea41e4de5b
    Size: 137.25 kB
  19. php-xml-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 83fe64a501670c73f2624f147243812f
    SHA-256: 2c394d6b2bce7160adf5c01ab25486e4fce9c9c77e6dc4ae0a8bda70f96cbc43
    Size: 100.83 kB
  20. php-xmlrpc-5.1.6-23.2AXS3.x86_64.rpm
    MD5: 0c0b3a5e07141cebe52cdf23221b0192
    SHA-256: c220d8ac67f6fd0e0b10e0b20a4f093fe69ff0c9435f5438678639b2df738c4b
    Size: 56.33 kB