Pardus: 2010-98: Php: Remote Code Injection
Posted by Benjamin D. Thomas   
A vulnerability has been fixed in SplObjectStorage unserializer in PHP which can allow malicious users to execute arbitrary code.
------------------------------------------------------------------------
Pardus Linux Security Advisory 2010-98            security@pardus.org.tr
------------------------------------------------------------------------
      Date: 2010-08-02
  Severity: 3
      Type: Remote
------------------------------------------------------------------------

Summary
======
A vulnerability has been fixed in SplObjectStorage unserializer in  PHP
which can allow malicious users to execute arbitrary code.


Description
==========
CVE-2010-2225:

Use-after-free vulnerability in the SplObjectStorage unserializer in PHP
5.2.x and 5.3.x  through  5.3.2  allows  remote  attackers  to  execute
arbitrary code or obtain sensitive  information  via  serialized  data,
related to the PHP unserialize function.


Affected packages:

  Pardus 2009:
    mod_php, all before 5.2.13-78-13


Resolution
=========
There are update(s) for mod_php. You can update them via Package Manager
or with a single command from console:

    pisi up mod_php

References
=========
  * http://bugs.pardus.org.tr/show_bug.cgi?id644
  * http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2225
  * https://bugzilla.redhat.com/show_bug.cgi?id`5641

------------------------------------------------------------------------