les critical ca dois etre pour ca ... je regarde ++ On Tue, Jan 31, 2012 at 4:26 PM, Thijs Kinkhorst <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-2399-2 [email protected] > http://www.debian.org/security/ Thijs Kinkhorst > January 31, 2012 http://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : php5 > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE ID : CVE-2011-1938 CVE-2011-2483 CVE-2011-4566 CVE-2011-4885 > CVE-2012-0057 > > A regression was found in the fix for PHP's XSLT transformations > (CVE-2012-0057). Updated packages are now available to address this > regression. For reference, the original advisory text follows. > > Several vulnerabilities have been discovered in PHP, the web scripting > language. The Common Vulnerabilities and Exposures project identifies > the following issues: > > CVE-2011-1938 > > The UNIX socket handling allowed attackers to trigger a buffer overflow > via a long path name. > > CVE-2011-2483 > > The crypt_blowfish function did not properly handle 8-bit characters, > which made it easier for attackers to determine a cleartext password > by using knowledge of a password hash. > > CVE-2011-4566 > > When used on 32 bit platforms, the exif extension could be used to > trigger an integer overflow in the exif_process_IFD_TAG function > when processing a JPEG file. > > CVE-2011-4885 > > It was possible to trigger hash collisions predictably when parsing > form parameters, which allows remote attackers to cause a denial of > service by sending many crafted parameters. > > CVE-2012-0057 > > When applying a crafted XSLT transform, an attacker could write files > to arbitrary places in the filesystem. > > NOTE: the fix for CVE-2011-2483 required changing the behaviour of this > function: it is now incompatible with some old (wrongly) generated hashes > for passwords containing 8-bit characters. See the package NEWS entry > for details. This change has not been applied to the Lenny version of PHP. > > NOTE: at the time of release packages for some architectures are still > being built. They will be installed into the archive as soon as they > arrive. > > For the oldstable distribution (lenny), these problems have been fixed > in version 5.2.6.dfsg.1-1+lenny15. > > For the stable distribution (squeeze), these problems have been fixed > in version 5.3.3-7+squeeze6. > > For the testing distribution (wheezy) and unstable distribution (sid), > these problems have been fixed in version 5.3.9-1. > > We recommend that you upgrade your php5 packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: http://www.debian.org/security/ > > Mailing list: [email protected] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > > iQEcBAEBAgAGBQJPKAUcAAoJEOxfUAG2iX57Ct0IANOSodYkvOES0ARyuzHoj+wl > UJubCz4qt/FoUEQk8lmlmenH11Ny+W9bWNpzWuQXoOXGI9o10NNrV3+NtVeFsDZb > MpJEyrk9ES0kVlH9n2D7ajEz1BA550HGkdP8jJm+hCHb0gyBr/DaleVBpwBF/275 > NGVKaYouYYEUpiua1tqRuxGI8Csd3EidJBhexFzMMwsNDqnTJWBbr1Fs+YvFNJE/ > JcWLg8Dq/NJUfJNSJKVHBcA+v/CBSD1MXoqKyXdoHgdm7CrEIrT0kNvaZDLk8rN5 > yONK+SUZOu8ZNEWLaxJQZdogg6wEGqxAWte6n5KbqyOlC0melVvvrxJY8FWo8f0= > =CVzr > -----END PGP SIGNATURE----- > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: http://lists.debian.org/[email protected] > > -- Genre ;)
