Gentoo: 201209-03 PHP: Multiple vulnerabilities
Posted by Benjamin D. Thomas   
Gentoo Multiple vulnerabilities were found in PHP, the worst of which lead to remote execution of arbitrary code.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 201209-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High
    Title: PHP: Multiple vulnerabilities
     Date: September 24, 2012
     Bugs: #384301, #396311, #396533, #399247, #399567, #399573,
           #401997, #410957, #414553, #421489, #427354, #429630
       ID: 201209-03

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities were found in PHP, the worst of which lead to
remote execution of arbitrary code.

Background
==========

PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  dev-lang/php                 < 5.3.15                  >= 5.3.15
                                  < 5.4.5                    >= 5.4.5
    -------------------------------------------------------------------
     # Package 1 only applies to users of these architectures:
       arm

Description
===========

Multiple vulnerabilities have been discovered in PHP. Please review the
CVE identifiers referenced below for details.

Impact
======

A remote attacker could execute arbitrary code with the privileges of
the process, cause a Denial of Service condition, obtain sensitive
information, create arbitrary files, conduct directory traversal
attacks, bypass protection mechanisms, or perform further attacks with
unspecified impact.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All PHP users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/php-5.3.15"

All PHP users on ARM should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot --verbose ">=dev-lang/php-5.4.5"

References
==========

[  1 ] CVE-2011-1398
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1398
[  2 ] CVE-2011-3379
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3379
[  3 ] CVE-2011-4566
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4566
[  4 ] CVE-2011-4885
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4885
[  5 ] CVE-2012-0057
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0057
[  6 ] CVE-2012-0788
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0788
[  7 ] CVE-2012-0789
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0789
[  8 ] CVE-2012-0830
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0830
[  9 ] CVE-2012-0831
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0831
[ 10 ] CVE-2012-1172
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1172
[ 11 ] CVE-2012-1823
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1823
[ 12 ] CVE-2012-2143
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2143
[ 13 ] CVE-2012-2311
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2311
[ 14 ] CVE-2012-2335
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2335
[ 15 ] CVE-2012-2336
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2336
[ 16 ] CVE-2012-2386
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2386
[ 17 ] CVE-2012-2688
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2688
[ 18 ] CVE-2012-3365
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3365
[ 19 ] CVE-2012-3450
       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3450

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 http://security.gentoo.org/glsa/glsa-201209-03.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5