what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2009-305

Mandriva Linux Security Advisory 2009-305
Posted Nov 30, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-305 - PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number of temporary files created when handling a multipart/form-data POST request, which allows remote attackers to cause a denial of service (resource exhaustion), and makes it easier for remote attackers to exploit local file inclusion vulnerabilities, via multiple requests, related to lack of support for the max_file_uploads directive. The updated packages have been patched to correct these issues.

tags | advisory, remote, denial of service, local, php, vulnerability, file inclusion
systems | linux, mandriva
advisories | CVE-2009-4017
SHA-256 | 8588d381d2abb27d9725664cce93b232f3fae39d7e26be16675a82809f1bcc9f

Mandriva Linux Security Advisory 2009-305

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:305
http://www.mandriva.com/security/
_______________________________________________________________________

Package : php
Date : November 29, 2009
Affected: Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Some vulnerabilities were discovered and corrected in php:

PHP 5.2.11, and 5.3.x before 5.3.1, does not restrict the number
of temporary files created when handling a multipart/form-data POST
request, which allows remote attackers to cause a denial of service
(resource exhaustion), and makes it easier for remote attackers to
exploit local file inclusion vulnerabilities, via multiple requests,
related to lack of support for the max_file_uploads directive
(CVE-2009-4017).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4017
_______________________________________________________________________

Updated Packages:

Corporate 3.0:
fdef0aab5f09878e3699418b72c214cd corporate/3.0/i586/libphp_common432-4.3.4-4.32.C30mdk.i586.rpm
5dd573cc5ce44c2aeea4c4b074d5dc0d corporate/3.0/i586/php432-devel-4.3.4-4.32.C30mdk.i586.rpm
c10153c08511a060cb0bd1fe62650244 corporate/3.0/i586/php-cgi-4.3.4-4.32.C30mdk.i586.rpm
dcf1106af7e2d85b3c97dfdcd1a389ff corporate/3.0/i586/php-cli-4.3.4-4.32.C30mdk.i586.rpm
31b7c19d5cc24d569f931a66dd189743 corporate/3.0/i586/php-ini-4.3.4-1.2.C30mdk.noarch.rpm
0edbc33999f0c3ea89274979bfaa1383 corporate/3.0/SRPMS/php-4.3.4-4.32.C30mdk.src.rpm
0f7d5371e221c065dae5df633a25b2bf corporate/3.0/SRPMS/php-ini-4.3.4-1.2.C30mdk.src.rpm

Corporate 3.0/X86_64:
57331f796957a2cdaf17ec1b7058893f corporate/3.0/x86_64/lib64php_common432-4.3.4-4.32.C30mdk.x86_64.rpm
9f081fb2c3760702dd20edec39542b68 corporate/3.0/x86_64/php432-devel-4.3.4-4.32.C30mdk.x86_64.rpm
e200e5a2f2c3f295d00f9af87b925f7b corporate/3.0/x86_64/php-cgi-4.3.4-4.32.C30mdk.x86_64.rpm
c5bd292c2bb5a8dcaa00f6f7494f827f corporate/3.0/x86_64/php-cli-4.3.4-4.32.C30mdk.x86_64.rpm
779611f1322a1c525eca29fbddd4d31a corporate/3.0/x86_64/php-ini-4.3.4-1.2.C30mdk.noarch.rpm
0edbc33999f0c3ea89274979bfaa1383 corporate/3.0/SRPMS/php-4.3.4-4.32.C30mdk.src.rpm
0f7d5371e221c065dae5df633a25b2bf corporate/3.0/SRPMS/php-ini-4.3.4-1.2.C30mdk.src.rpm

Corporate 4.0:
579acf668145864e21610ff1614faee1 corporate/4.0/i586/libphp4_common4-4.4.4-1.13.20060mlcs4.i586.rpm
79d3fb035f70c7d9360c5458788aec8a corporate/4.0/i586/php4-cgi-4.4.4-1.13.20060mlcs4.i586.rpm
54c94e3ca4521a6aef4d2273eb9ef140 corporate/4.0/i586/php4-cli-4.4.4-1.13.20060mlcs4.i586.rpm
2e014106d72fc661ccd430a5fc36e2ea corporate/4.0/i586/php4-devel-4.4.4-1.13.20060mlcs4.i586.rpm
4ba5982c7b2de7e64d84d9f9a72b187b corporate/4.0/i586/php4-ini-4.4.4-1.1.20060mlcs4.i586.rpm
24e1c9f9f2e18c9bd499b091b612451f corporate/4.0/SRPMS/php4-4.4.4-1.13.20060mlcs4.src.rpm
fc6ddef80946eab5c104d93c137cce6f corporate/4.0/SRPMS/php4-ini-4.4.4-1.1.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
3673367f2065655c6c6956d46fe5cb40 corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.13.20060mlcs4.x86_64.rpm
5d8073b77022027ae52807d9e6fa9ad0 corporate/4.0/x86_64/php4-cgi-4.4.4-1.13.20060mlcs4.x86_64.rpm
1b2fbdce98301d27f728291582fe1bb5 corporate/4.0/x86_64/php4-cli-4.4.4-1.13.20060mlcs4.x86_64.rpm
e63603fce6cd743e24a9daaea57e4158 corporate/4.0/x86_64/php4-devel-4.4.4-1.13.20060mlcs4.x86_64.rpm
0ebb3a50cac9be78aa58f70878172b37 corporate/4.0/x86_64/php4-ini-4.4.4-1.1.20060mlcs4.x86_64.rpm
24e1c9f9f2e18c9bd499b091b612451f corporate/4.0/SRPMS/php4-4.4.4-1.13.20060mlcs4.src.rpm
fc6ddef80946eab5c104d93c137cce6f corporate/4.0/SRPMS/php4-ini-4.4.4-1.1.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
6d6ab3c75e122369a08072660fb34193 mnf/2.0/i586/libphp_common432-4.3.4-4.32.C30mdk.i586.rpm
d041d4fa041a72d09df0553db43ec372 mnf/2.0/i586/php432-devel-4.3.4-4.32.C30mdk.i586.rpm
6a549283056c664f895f8d3891667ff9 mnf/2.0/i586/php-cgi-4.3.4-4.32.C30mdk.i586.rpm
c20be6cce583ade37d6303b3e75d1c11 mnf/2.0/i586/php-cli-4.3.4-4.32.C30mdk.i586.rpm
d618ae651d9d6d7df2edcd6c0d8f09fc mnf/2.0/i586/php-ini-4.3.4-1.2.C30mdk.noarch.rpm
b583bb5e05e00e921d269e9fb57d0810 mnf/2.0/SRPMS/php-4.3.4-4.32.C30mdk.src.rpm
4bf37a9915cbafa029ad42d812a91937 mnf/2.0/SRPMS/php-ini-4.3.4-1.2.C30mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLEoOGmqjQ0CJFipgRAuAiAJwNJNHBoVWkNIQD8ZM8ahuPBXxS+QCgotx5
IvfPOpuN1y0a/GbDB4/Fp0M=
=fxQO
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close