php security update

2007-05-09T15:32:48
ID CESA-2007:0349
Type centos
Reporter CentOS Project
Modified 2007-05-09T19:53:54

Description

CentOS Errata and Security Advisory CESA-2007:0349

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server.

A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864)

A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509)

Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2007-May/013739.html http://lists.centos.org/pipermail/centos-announce/2007-May/013740.html

Affected packages: php php-devel php-domxml php-gd php-imap php-ldap php-mbstring php-mysql php-ncurses php-odbc php-pear php-pgsql php-snmp php-xmlrpc

Upstream details at: https://rhn.redhat.com/errata/RHSA-2007-0349.html