Lucene search
AmazonALAS-2012-037HistoryJan 19, 2012 - 8:10 p.m.
Medium: php
2012-01-1920:10:00
alas.aws.amazon.com
52
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.882 High
EPSS
Percentile
98.6%
Issue Overview:
It was found that the hashing routine used by PHP arrays was susceptible to predictable hash collisions. If an HTTP POST request to a PHP application contained many parameters whose names map to the same hash value, a large amount of CPU time would be consumed. This flaw has been mitigated by adding a new configuration directive, max_input_vars, that limits the maximum number of parameters processed per request. By default, max_input_vars is set to 1000. (CVE-2011-4885)
An integer overflow flaw was found in the PHP exif extension. On 32-bit systems, a specially-crafted image file could cause the PHP interpreter to crash or disclose portions of its memory when a PHP script tries to extract Exchangeable image file format (Exif) metadata from the image file. (CVE-2011-4566)
Affected Packages:
php
Issue Correction:
Run yum update php to update your system.
New Packages:
i686:
php-dba-5.3.9-1.9.amzn1.i686
php-odbc-5.3.9-1.9.amzn1.i686
php-embedded-5.3.9-1.9.amzn1.i686
php-mbstring-5.3.9-1.9.amzn1.i686
php-pgsql-5.3.9-1.9.amzn1.i686
php-common-5.3.9-1.9.amzn1.i686
php-debuginfo-5.3.9-1.9.amzn1.i686
php-ldap-5.3.9-1.9.amzn1.i686
php-cli-5.3.9-1.9.amzn1.i686
php-fpm-5.3.9-1.9.amzn1.i686
php-5.3.9-1.9.amzn1.i686
php-imap-5.3.9-1.9.amzn1.i686
php-bcmath-5.3.9-1.9.amzn1.i686
php-soap-5.3.9-1.9.amzn1.i686
php-devel-5.3.9-1.9.amzn1.i686
php-xml-5.3.9-1.9.amzn1.i686
php-pdo-5.3.9-1.9.amzn1.i686
php-mcrypt-5.3.9-1.9.amzn1.i686
php-mysqlnd-5.3.9-1.9.amzn1.i686
php-snmp-5.3.9-1.9.amzn1.i686
php-mysql-5.3.9-1.9.amzn1.i686
php-process-5.3.9-1.9.amzn1.i686
php-tidy-5.3.9-1.9.amzn1.i686
php-intl-5.3.9-1.9.amzn1.i686
php-gd-5.3.9-1.9.amzn1.i686
php-pspell-5.3.9-1.9.amzn1.i686
php-mssql-5.3.9-1.9.amzn1.i686
php-xmlrpc-5.3.9-1.9.amzn1.i686
src:
php-5.3.9-1.9.amzn1.src
x86_64:
php-embedded-5.3.9-1.9.amzn1.x86_64
php-xml-5.3.9-1.9.amzn1.x86_64
php-intl-5.3.9-1.9.amzn1.x86_64
php-soap-5.3.9-1.9.amzn1.x86_64
php-ldap-5.3.9-1.9.amzn1.x86_64
php-mcrypt-5.3.9-1.9.amzn1.x86_64
php-debuginfo-5.3.9-1.9.amzn1.x86_64
php-pgsql-5.3.9-1.9.amzn1.x86_64
php-mysqlnd-5.3.9-1.9.amzn1.x86_64
php-odbc-5.3.9-1.9.amzn1.x86_64
php-mbstring-5.3.9-1.9.amzn1.x86_64
php-pspell-5.3.9-1.9.amzn1.x86_64
php-pdo-5.3.9-1.9.amzn1.x86_64
php-tidy-5.3.9-1.9.amzn1.x86_64
php-dba-5.3.9-1.9.amzn1.x86_64
php-gd-5.3.9-1.9.amzn1.x86_64
php-fpm-5.3.9-1.9.amzn1.x86_64
php-cli-5.3.9-1.9.amzn1.x86_64
php-devel-5.3.9-1.9.amzn1.x86_64
php-mysql-5.3.9-1.9.amzn1.x86_64
php-mssql-5.3.9-1.9.amzn1.x86_64
php-xmlrpc-5.3.9-1.9.amzn1.x86_64
php-process-5.3.9-1.9.amzn1.x86_64
php-bcmath-5.3.9-1.9.amzn1.x86_64
php-snmp-5.3.9-1.9.amzn1.x86_64
php-common-5.3.9-1.9.amzn1.x86_64
php-5.3.9-1.9.amzn1.x86_64
php-imap-5.3.9-1.9.amzn1.x86_64
Additional References
Red Hat: CVE-2011-4566, CVE-2011-4885
Mitre: CVE-2011-4566, CVE-2011-4885
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Amazon Linux | 1 | i686 | php-dba | < 5.3.9-1.9.amzn1 | php-dba-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-odbc | < 5.3.9-1.9.amzn1 | php-odbc-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-embedded | < 5.3.9-1.9.amzn1 | php-embedded-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-mbstring | < 5.3.9-1.9.amzn1 | php-mbstring-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-pgsql | < 5.3.9-1.9.amzn1 | php-pgsql-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-common | < 5.3.9-1.9.amzn1 | php-common-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-debuginfo | < 5.3.9-1.9.amzn1 | php-debuginfo-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-ldap | < 5.3.9-1.9.amzn1 | php-ldap-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-cli | < 5.3.9-1.9.amzn1 | php-cli-5.3.9-1.9.amzn1.i686.rpm |
| Amazon Linux | 1 | i686 | php-fpm | < 5.3.9-1.9.amzn1 | php-fpm-5.3.9-1.9.amzn1.i686.rpm |
Related
openvas
openvas
Amazon Linux: Security Advisory (ALAS-2012-37)
2015-09-08 00:00:00
Fedora Update for maniadrive FEDORA-2012-0504
2012-04-02 00:00:00
Fedora Update for php-eaccelerator FEDORA-2012-0504
2012-03-19 00:00:00
nessus
nessus
CentOS 5 / 6 : php / php53 (CESA-2012:0019)
2012-01-12 00:00:00
Amazon Linux AMI : php (ALAS-2012-37)
2013-09-04 00:00:00
freebsd
freebsd
php -- multiple vulnerabilities
2011-12-29 00:00:00
fedora
fedora
[SECURITY] Fedora 16 Update: php-eaccelerator-0.9.6.1-9.fc16.1
2012-01-19 22:00:25
[SECURITY] Fedora 16 Update: maniadrive-1.2-32.fc16.1
2012-01-19 22:00:25
[SECURITY] Fedora 16 Update: php-5.3.9-1.fc16
2012-01-19 22:00:25
oraclelinux
oraclelinux
php53 and php security update
2012-01-11 00:00:00
php security update
2012-01-30 00:00:00
php security update
2012-01-18 00:00:00
redhat
redhat
(RHSA-2012:0019) Moderate: php53 and php security update
2012-01-11 00:00:00
(RHSA-2012:0071) Moderate: php security update
2012-01-30 00:00:00
(RHSA-2012:0092) Critical: php53 security update
2012-02-02 00:00:00
centos
centos
php, php53 security update
2012-01-11 19:19:36
php security update
2012-01-30 20:44:11
php53 security update
2012-02-03 01:43:26
securityvulns
securityvulns
PHP security vulnerabilities
2012-02-08 00:00:00
[oCERT-2011-003] multiple implementations denial-of-service via hash algorithm collision
2012-01-02 00:00:00
[ MDVSA-2012:065 ] php
2012-05-01 00:00:00
seebug
seebug
PHP "exif_process_IFD_TAG()"远程整数溢出漏洞
2011-12-07 00:00:00
PHP Hashtables Denial of Service
2014-07-01 00:00:00
PHP Web表单哈希冲突拒绝服务漏洞
2012-01-01 00:00:00
checkpoint_advisories
checkpoint_advisories
PHP5 Hash Collision Denial Of Service - Ver2 (CVE-2011-4885)
2014-03-03 00:00:00
PHP Exif Header Parsing Integer Overflow (CVE-2011-4566)
2012-08-27 00:00:00
PHP Exif Header Parsing Integer Overflow - Ver2 (CVE-2011-4566)
2015-03-26 00:00:00
packetstorm
packetstorm
PHP 5.3.x Hashtables Proof Of Concept
2012-01-01 00:00:00
PHP 5.3.x Hash Collision Proof Of Concept Code
2012-01-02 00:00:00
veracode
veracode
Denial Of Service (DoS)
2020-04-10 01:06:05
Denial Of Service (DoS)
2020-04-10 01:06:05
Remote Code Execution (RCE)
2020-04-10 01:10:12
prion
prion
Code injection
2011-12-30 01:55:00
Design/Logic Flaw
2012-02-06 20:55:00
Integer overflow
2011-11-29 00:55:00
debian
debian
[SECURITY] [DSA 2399-1] php5 security update
2012-01-31 07:22:58
[SECURITY] [DSA 2399-2] php5 regression fix
2012-01-31 15:26:47
ubuntu
ubuntu
PHP vulnerability
2011-12-14 00:00:00
PHP vulnerabilities
2012-02-10 00:00:00
PHP regression
2012-02-13 00:00:00
osv
osv
php5 - several
2012-01-31 00:00:00
f5
f5
K13588 : PHP vulnerability CVE-2011-4885
2013-09-11 00:00:00
SOL13588 - PHP vulnerability CVE-2011-4885
2012-05-17 00:00:00
K13519 : Multiple PHP vulnerabilities
2013-09-20 00:00:00
exploitpack
exploitpack
PHP 5.3.8 - Hashtables Denial of Service
2012-01-01 00:00:00
PHP Hash Table Collision - Denial of Service (PoC)
2012-01-03 00:00:00
cve
cve
ubuntucve
ubuntucve
exploitdb
exploitdb
PHP 5.3.8 - Hashtables Denial of Service
2012-01-01 00:00:00
PHP Hash Table Collision - Denial of Service (PoC)
2012-01-03 00:00:00
amazon
amazon
Critical: php
2012-02-02 16:10:00
suse
suse
update for php5 (important)
2012-03-29 15:08:14
Security update for PHP5 (important)
2012-04-12 23:08:15
Security update for PHP5 (important)
2012-03-24 03:08:28
cert
cert
Hash table implementations vulnerable to algorithmic complexity attacks
2011-12-28 00:00:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2012-09-24 00:00:00
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.882 High
EPSS
Percentile
98.6%
Related for ALAS-2012-037