SUSE-SU-2012:0496-1: important: Security update for PHP5

sle-updates at lists.suse.com sle-updates at lists.suse.com
Thu Apr 12 15:08:13 MDT 2012


   SUSE Security Update: Security update for PHP5
______________________________________________________________________________

Announcement ID:    SUSE-SU-2012:0496-1
Rating:             important
References:         #699711 #709549 #713652 #728671 #733590 #735613 
                    #736169 #738221 #741520 #741859 #742273 #742806 
                    #743308 #744966 #746661 #749111 
Cross-References:   CVE-2011-1072 CVE-2011-1466 CVE-2011-2202
                    CVE-2011-3182 CVE-2011-4153 CVE-2011-4566
                    CVE-2011-4885 CVE-2012-0057 CVE-2012-0781
                    CVE-2012-0788 CVE-2012-0789 CVE-2012-0807
                    CVE-2012-0830 CVE-2012-0831
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP2
                    SUSE Linux Enterprise Software Development Kit 11 SP1
                    SUSE Linux Enterprise Server 11 SP2
                    SUSE Linux Enterprise Server 11 SP1 for VMware
                    SUSE Linux Enterprise Server 11 SP1
______________________________________________________________________________

   An update that solves 14 vulnerabilities and has two fixes
   is now available. It includes one version update.

Description:


   This update of php5 fixes multiple security flaws:

   * CVE-2011-2202: A php5 upload filename injection was
   fixed.
   * CVE-2011-4566: A integer overflow in the EXIF
   extension was fixed that could be used by attackers to
   crash the interpreter or potentially read memory
   * CVE-2011-3182: Multiple NULL pointer dereferences
   were fixed that could lead to crashes
   * CVE-2011-1466: An integer overflow in the PHP
   calendar extension was fixed that could have led to crashes.
   * CVE-2011-1072: A symlink vulnerability in the PEAR
   installer could be exploited by local attackers to inject
   code.
   * CVE-2011-4153: missing checks of return values could
   allow remote attackers to cause a denial of service (NULL
   pointer dereference)
   * CVE-2011-4885: denial of service via hash collisions
   * CVE-2012-0057: specially crafted XSLT stylesheets
   could allow remote attackers to create arbitrary files with
   arbitrary content
   * CVE-2012-0781: remote attackers can cause a denial of
   service via specially crafted input to an application that
   attempts to perform Tidy::diagnose operations
   * CVE-2012-0788: applications that use a PDO driver
   were prone to denial of service flaws which could be
   exploited remotely
   * CVE-2012-0789: memory leak in the timezone
   functionality could allow remote attackers to cause a
   denial of service (memory consumption)
   * CVE-2012-0807: a stack based buffer overflow in the
   php5 Suhosin extension could allow remote attackers to
   execute arbitrary code via a long string that is used in a
   Set-Cookie HTTP header
   * CVE-2012-0830: this fixes an incorrect fix for
   CVE-2011-4885 which could allow remote attackers to execute
   arbitrary code via a request containing a large number of
   variables
   * CVE-2012-0831: temporary changes to the
   magic_quotes_gpc directive during the importing of
   environment variables is not properly performed which makes
   it easier for remote attackers to conduct SQL injections

   Also the following bugs have been fixed:

   * allow uploading files bigger than 2GB for 64bit
   systems [bnc#709549]
   * amend README.SUSE to discourage using apache module
   with apache2-worker [bnc#728671]

   Security Issue references:

   * CVE-2011-2202
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2202
   >
   * CVE-2011-4153
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4153
   >
   * CVE-2011-4885
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4885
   >
   * CVE-2012-0057
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0057
   >
   * CVE-2012-0781
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0781
   >
   * CVE-2012-0788
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0788
   >
   * CVE-2012-0789
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0789
   >
   * CVE-2012-0807
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0807
   >
   * CVE-2012-0830
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830
   >
   * CVE-2012-0831
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831
   >
   * CVE-2011-4566
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4566
   >
   * CVE-2011-3182
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3182
   >
   * CVE-2011-1466
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1466
   >
   * CVE-2011-1072
   <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1072
   >


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP2:

      zypper in -t patch sdksp1-apache2-mod_php5-5964

   - SUSE Linux Enterprise Software Development Kit 11 SP1:

      zypper in -t patch sdksp1-apache2-mod_php5-5964

   - SUSE Linux Enterprise Server 11 SP2:

      zypper in -t patch slessp1-apache2-mod_php5-5964

   - SUSE Linux Enterprise Server 11 SP1 for VMware:

      zypper in -t patch slessp1-apache2-mod_php5-5964

   - SUSE Linux Enterprise Server 11 SP1:

      zypper in -t patch slessp1-apache2-mod_php5-5964

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:

      php5-devel-5.2.14-0.7.30.34.1
      php5-imap-5.2.14-0.7.30.34.1
      php5-ncurses-5.2.14-0.7.30.34.1
      php5-posix-5.2.14-0.7.30.34.1
      php5-readline-5.2.14-0.7.30.34.1
      php5-sockets-5.2.14-0.7.30.34.1
      php5-sqlite-5.2.14-0.7.30.34.1
      php5-tidy-5.2.14-0.7.30.34.1

   - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64) [New Version: 5.2.14]:

      apache2-mod_php5-5.2.14-0.7.30.34.1
      php5-5.2.14-0.7.30.34.1
      php5-bcmath-5.2.14-0.7.30.34.1
      php5-bz2-5.2.14-0.7.30.34.1
      php5-calendar-5.2.14-0.7.30.34.1
      php5-ctype-5.2.14-0.7.30.34.1
      php5-curl-5.2.14-0.7.30.34.1
      php5-dba-5.2.14-0.7.30.34.1
      php5-dbase-5.2.14-0.7.30.34.1
      php5-dom-5.2.14-0.7.30.34.1
      php5-exif-5.2.14-0.7.30.34.1
      php5-fastcgi-5.2.14-0.7.30.34.1
      php5-ftp-5.2.14-0.7.30.34.1
      php5-gd-5.2.14-0.7.30.34.1
      php5-gettext-5.2.14-0.7.30.34.1
      php5-gmp-5.2.14-0.7.30.34.1
      php5-hash-5.2.14-0.7.30.34.1
      php5-iconv-5.2.14-0.7.30.34.1
      php5-json-5.2.14-0.7.30.34.1
      php5-ldap-5.2.14-0.7.30.34.1
      php5-mbstring-5.2.14-0.7.30.34.1
      php5-mcrypt-5.2.14-0.7.30.34.1
      php5-mysql-5.2.14-0.7.30.34.1
      php5-odbc-5.2.14-0.7.30.34.1
      php5-openssl-5.2.14-0.7.30.34.1
      php5-pcntl-5.2.14-0.7.30.34.1
      php5-pdo-5.2.14-0.7.30.34.1
      php5-pear-5.2.14-0.7.30.34.1
      php5-pgsql-5.2.14-0.7.30.34.1
      php5-pspell-5.2.14-0.7.30.34.1
      php5-shmop-5.2.14-0.7.30.34.1
      php5-snmp-5.2.14-0.7.30.34.1
      php5-soap-5.2.14-0.7.30.34.1
      php5-suhosin-5.2.14-0.7.30.34.1
      php5-sysvmsg-5.2.14-0.7.30.34.1
      php5-sysvsem-5.2.14-0.7.30.34.1
      php5-sysvshm-5.2.14-0.7.30.34.1
      php5-tokenizer-5.2.14-0.7.30.34.1
      php5-wddx-5.2.14-0.7.30.34.1
      php5-xmlreader-5.2.14-0.7.30.34.1
      php5-xmlrpc-5.2.14-0.7.30.34.1
      php5-xmlwriter-5.2.14-0.7.30.34.1
      php5-xsl-5.2.14-0.7.30.34.1
      php5-zip-5.2.14-0.7.30.34.1
      php5-zlib-5.2.14-0.7.30.34.1

   - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:

      php5-devel-5.2.14-0.7.30.34.1
      php5-imap-5.2.14-0.7.30.34.1
      php5-ncurses-5.2.14-0.7.30.34.1
      php5-posix-5.2.14-0.7.30.34.1
      php5-readline-5.2.14-0.7.30.34.1
      php5-sockets-5.2.14-0.7.30.34.1
      php5-sqlite-5.2.14-0.7.30.34.1
      php5-tidy-5.2.14-0.7.30.34.1

   - SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64) [New Version: 5.2.14]:

      apache2-mod_php5-5.2.14-0.7.30.34.1
      php5-5.2.14-0.7.30.34.1
      php5-bcmath-5.2.14-0.7.30.34.1
      php5-bz2-5.2.14-0.7.30.34.1
      php5-calendar-5.2.14-0.7.30.34.1
      php5-ctype-5.2.14-0.7.30.34.1
      php5-curl-5.2.14-0.7.30.34.1
      php5-dba-5.2.14-0.7.30.34.1
      php5-dbase-5.2.14-0.7.30.34.1
      php5-dom-5.2.14-0.7.30.34.1
      php5-exif-5.2.14-0.7.30.34.1
      php5-fastcgi-5.2.14-0.7.30.34.1
      php5-ftp-5.2.14-0.7.30.34.1
      php5-gd-5.2.14-0.7.30.34.1
      php5-gettext-5.2.14-0.7.30.34.1
      php5-gmp-5.2.14-0.7.30.34.1
      php5-hash-5.2.14-0.7.30.34.1
      php5-iconv-5.2.14-0.7.30.34.1
      php5-json-5.2.14-0.7.30.34.1
      php5-ldap-5.2.14-0.7.30.34.1
      php5-mbstring-5.2.14-0.7.30.34.1
      php5-mcrypt-5.2.14-0.7.30.34.1
      php5-mysql-5.2.14-0.7.30.34.1
      php5-odbc-5.2.14-0.7.30.34.1
      php5-openssl-5.2.14-0.7.30.34.1
      php5-pcntl-5.2.14-0.7.30.34.1
      php5-pdo-5.2.14-0.7.30.34.1
      php5-pear-5.2.14-0.7.30.34.1
      php5-pgsql-5.2.14-0.7.30.34.1
      php5-pspell-5.2.14-0.7.30.34.1
      php5-shmop-5.2.14-0.7.30.34.1
      php5-snmp-5.2.14-0.7.30.34.1
      php5-soap-5.2.14-0.7.30.34.1
      php5-suhosin-5.2.14-0.7.30.34.1
      php5-sysvmsg-5.2.14-0.7.30.34.1
      php5-sysvsem-5.2.14-0.7.30.34.1
      php5-sysvshm-5.2.14-0.7.30.34.1
      php5-tokenizer-5.2.14-0.7.30.34.1
      php5-wddx-5.2.14-0.7.30.34.1
      php5-xmlreader-5.2.14-0.7.30.34.1
      php5-xmlrpc-5.2.14-0.7.30.34.1
      php5-xmlwriter-5.2.14-0.7.30.34.1
      php5-xsl-5.2.14-0.7.30.34.1
      php5-zip-5.2.14-0.7.30.34.1
      php5-zlib-5.2.14-0.7.30.34.1

   - SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:

      apache2-mod_php5-5.2.14-0.7.30.34.1
      php5-5.2.14-0.7.30.34.1
      php5-bcmath-5.2.14-0.7.30.34.1
      php5-bz2-5.2.14-0.7.30.34.1
      php5-calendar-5.2.14-0.7.30.34.1
      php5-ctype-5.2.14-0.7.30.34.1
      php5-curl-5.2.14-0.7.30.34.1
      php5-dba-5.2.14-0.7.30.34.1
      php5-dbase-5.2.14-0.7.30.34.1
      php5-dom-5.2.14-0.7.30.34.1
      php5-exif-5.2.14-0.7.30.34.1
      php5-fastcgi-5.2.14-0.7.30.34.1
      php5-ftp-5.2.14-0.7.30.34.1
      php5-gd-5.2.14-0.7.30.34.1
      php5-gettext-5.2.14-0.7.30.34.1
      php5-gmp-5.2.14-0.7.30.34.1
      php5-hash-5.2.14-0.7.30.34.1
      php5-iconv-5.2.14-0.7.30.34.1
      php5-json-5.2.14-0.7.30.34.1
      php5-ldap-5.2.14-0.7.30.34.1
      php5-mbstring-5.2.14-0.7.30.34.1
      php5-mcrypt-5.2.14-0.7.30.34.1
      php5-mysql-5.2.14-0.7.30.34.1
      php5-odbc-5.2.14-0.7.30.34.1
      php5-openssl-5.2.14-0.7.30.34.1
      php5-pcntl-5.2.14-0.7.30.34.1
      php5-pdo-5.2.14-0.7.30.34.1
      php5-pear-5.2.14-0.7.30.34.1
      php5-pgsql-5.2.14-0.7.30.34.1
      php5-pspell-5.2.14-0.7.30.34.1
      php5-shmop-5.2.14-0.7.30.34.1
      php5-snmp-5.2.14-0.7.30.34.1
      php5-soap-5.2.14-0.7.30.34.1
      php5-suhosin-5.2.14-0.7.30.34.1
      php5-sysvmsg-5.2.14-0.7.30.34.1
      php5-sysvsem-5.2.14-0.7.30.34.1
      php5-sysvshm-5.2.14-0.7.30.34.1
      php5-tokenizer-5.2.14-0.7.30.34.1
      php5-wddx-5.2.14-0.7.30.34.1
      php5-xmlreader-5.2.14-0.7.30.34.1
      php5-xmlrpc-5.2.14-0.7.30.34.1
      php5-xmlwriter-5.2.14-0.7.30.34.1
      php5-xsl-5.2.14-0.7.30.34.1
      php5-zip-5.2.14-0.7.30.34.1
      php5-zlib-5.2.14-0.7.30.34.1

   - SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 5.2.14]:

      apache2-mod_php5-5.2.14-0.7.30.34.1
      php5-5.2.14-0.7.30.34.1
      php5-bcmath-5.2.14-0.7.30.34.1
      php5-bz2-5.2.14-0.7.30.34.1
      php5-calendar-5.2.14-0.7.30.34.1
      php5-ctype-5.2.14-0.7.30.34.1
      php5-curl-5.2.14-0.7.30.34.1
      php5-dba-5.2.14-0.7.30.34.1
      php5-dbase-5.2.14-0.7.30.34.1
      php5-dom-5.2.14-0.7.30.34.1
      php5-exif-5.2.14-0.7.30.34.1
      php5-fastcgi-5.2.14-0.7.30.34.1
      php5-ftp-5.2.14-0.7.30.34.1
      php5-gd-5.2.14-0.7.30.34.1
      php5-gettext-5.2.14-0.7.30.34.1
      php5-gmp-5.2.14-0.7.30.34.1
      php5-hash-5.2.14-0.7.30.34.1
      php5-iconv-5.2.14-0.7.30.34.1
      php5-json-5.2.14-0.7.30.34.1
      php5-ldap-5.2.14-0.7.30.34.1
      php5-mbstring-5.2.14-0.7.30.34.1
      php5-mcrypt-5.2.14-0.7.30.34.1
      php5-mysql-5.2.14-0.7.30.34.1
      php5-odbc-5.2.14-0.7.30.34.1
      php5-openssl-5.2.14-0.7.30.34.1
      php5-pcntl-5.2.14-0.7.30.34.1
      php5-pdo-5.2.14-0.7.30.34.1
      php5-pear-5.2.14-0.7.30.34.1
      php5-pgsql-5.2.14-0.7.30.34.1
      php5-pspell-5.2.14-0.7.30.34.1
      php5-shmop-5.2.14-0.7.30.34.1
      php5-snmp-5.2.14-0.7.30.34.1
      php5-soap-5.2.14-0.7.30.34.1
      php5-suhosin-5.2.14-0.7.30.34.1
      php5-sysvmsg-5.2.14-0.7.30.34.1
      php5-sysvsem-5.2.14-0.7.30.34.1
      php5-sysvshm-5.2.14-0.7.30.34.1
      php5-tokenizer-5.2.14-0.7.30.34.1
      php5-wddx-5.2.14-0.7.30.34.1
      php5-xmlreader-5.2.14-0.7.30.34.1
      php5-xmlrpc-5.2.14-0.7.30.34.1
      php5-xmlwriter-5.2.14-0.7.30.34.1
      php5-xsl-5.2.14-0.7.30.34.1
      php5-zip-5.2.14-0.7.30.34.1
      php5-zlib-5.2.14-0.7.30.34.1

   - SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:

      apache2-mod_php5-5.2.14-0.7.30.34.1
      php5-5.2.14-0.7.30.34.1
      php5-bcmath-5.2.14-0.7.30.34.1
      php5-bz2-5.2.14-0.7.30.34.1
      php5-calendar-5.2.14-0.7.30.34.1
      php5-ctype-5.2.14-0.7.30.34.1
      php5-curl-5.2.14-0.7.30.34.1
      php5-dba-5.2.14-0.7.30.34.1
      php5-dbase-5.2.14-0.7.30.34.1
      php5-dom-5.2.14-0.7.30.34.1
      php5-exif-5.2.14-0.7.30.34.1
      php5-fastcgi-5.2.14-0.7.30.34.1
      php5-ftp-5.2.14-0.7.30.34.1
      php5-gd-5.2.14-0.7.30.34.1
      php5-gettext-5.2.14-0.7.30.34.1
      php5-gmp-5.2.14-0.7.30.34.1
      php5-hash-5.2.14-0.7.30.34.1
      php5-iconv-5.2.14-0.7.30.34.1
      php5-json-5.2.14-0.7.30.34.1
      php5-ldap-5.2.14-0.7.30.34.1
      php5-mbstring-5.2.14-0.7.30.34.1
      php5-mcrypt-5.2.14-0.7.30.34.1
      php5-mysql-5.2.14-0.7.30.34.1
      php5-odbc-5.2.14-0.7.30.34.1
      php5-openssl-5.2.14-0.7.30.34.1
      php5-pcntl-5.2.14-0.7.30.34.1
      php5-pdo-5.2.14-0.7.30.34.1
      php5-pear-5.2.14-0.7.30.34.1
      php5-pgsql-5.2.14-0.7.30.34.1
      php5-pspell-5.2.14-0.7.30.34.1
      php5-shmop-5.2.14-0.7.30.34.1
      php5-snmp-5.2.14-0.7.30.34.1
      php5-soap-5.2.14-0.7.30.34.1
      php5-suhosin-5.2.14-0.7.30.34.1
      php5-sysvmsg-5.2.14-0.7.30.34.1
      php5-sysvsem-5.2.14-0.7.30.34.1
      php5-sysvshm-5.2.14-0.7.30.34.1
      php5-tokenizer-5.2.14-0.7.30.34.1
      php5-wddx-5.2.14-0.7.30.34.1
      php5-xmlreader-5.2.14-0.7.30.34.1
      php5-xmlrpc-5.2.14-0.7.30.34.1
      php5-xmlwriter-5.2.14-0.7.30.34.1
      php5-xsl-5.2.14-0.7.30.34.1
      php5-zip-5.2.14-0.7.30.34.1
      php5-zlib-5.2.14-0.7.30.34.1


References:

   http://support.novell.com/security/cve/CVE-2011-1072.html
   http://support.novell.com/security/cve/CVE-2011-1466.html
   http://support.novell.com/security/cve/CVE-2011-2202.html
   http://support.novell.com/security/cve/CVE-2011-3182.html
   http://support.novell.com/security/cve/CVE-2011-4153.html
   http://support.novell.com/security/cve/CVE-2011-4566.html
   http://support.novell.com/security/cve/CVE-2011-4885.html
   http://support.novell.com/security/cve/CVE-2012-0057.html
   http://support.novell.com/security/cve/CVE-2012-0781.html
   http://support.novell.com/security/cve/CVE-2012-0788.html
   http://support.novell.com/security/cve/CVE-2012-0789.html
   http://support.novell.com/security/cve/CVE-2012-0807.html
   http://support.novell.com/security/cve/CVE-2012-0830.html
   http://support.novell.com/security/cve/CVE-2012-0831.html
   https://bugzilla.novell.com/699711
   https://bugzilla.novell.com/709549
   https://bugzilla.novell.com/713652
   https://bugzilla.novell.com/728671
   https://bugzilla.novell.com/733590
   https://bugzilla.novell.com/735613
   https://bugzilla.novell.com/736169
   https://bugzilla.novell.com/738221
   https://bugzilla.novell.com/741520
   https://bugzilla.novell.com/741859
   https://bugzilla.novell.com/742273
   https://bugzilla.novell.com/742806
   https://bugzilla.novell.com/743308
   https://bugzilla.novell.com/744966
   https://bugzilla.novell.com/746661
   https://bugzilla.novell.com/749111
   http://download.novell.com/patch/finder/?keywords=778ae960c062031cb692b8c0c4a67400



More information about the sle-updates mailing list