MDVSA-2009:065

Package name

php4

Date

2009-03-05

Advisory ID

MDVSA-2009:065

Affected versions

CS4.0 x86_64 , CS4.0 i586

Problem description

A vulnerability in the cURL library in PHP allowed context-dependent
attackers to bypass safe_mode and open_basedir restrictions and read
arbitrary files using a special URL request (CVE-2007-4850).

improve mbfl_filt_conv_html_dec_flush() error handling in
ext/mbstring/libmbfl/filters/mbfilter_htmlent.c (CVE-2008-5557).

PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows
local users to modify behavior of other sites hosted on the same
web server by modifying the mbstring.func_overload setting within
.htaccess, which causes this setting to be applied to other virtual
hosts on the same server (CVE-2009-0754).

The updated packages have been patched to correct these issues.

Updated packages

CS4.0 x86_64

 8e35646c4b35628a85dd76a8f0473464  corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.10.20060mlcs4.x86_64.rpm
 448245361dff74604f72cbfe3f0273fc  corporate/4.0/x86_64/php4-cgi-4.4.4-1.10.20060mlcs4.x86_64.rpm
 377cc8202704396841dd767975373ac4  corporate/4.0/x86_64/php4-cli-4.4.4-1.10.20060mlcs4.x86_64.rpm
 cc6e7fb2188ab99c9f2fe4ee0ab07bfb  corporate/4.0/x86_64/php4-curl-4.4.4-1.2.20060mlcs4.x86_64.rpm
 98b50b1c01f816a916a24dac82bd45f4  corporate/4.0/x86_64/php4-devel-4.4.4-1.10.20060mlcs4.x86_64.rpm
 c8231e042b861977f9b17ba47b4bb8a7  corporate/4.0/x86_64/php4-mbstring-4.4.4-1.2.20060mlcs4.x86_64.rpm 
 4059cd9721229c87b25b6e4743f13c48  corporate/4.0/SRPMS/php4-4.4.4-1.10.20060mlcs4.src.rpm
 813154bf139d89573632a45437136e73  corporate/4.0/SRPMS/php4-curl-4.4.4-1.2.20060mlcs4.src.rpm
 2df4a7ca570808691586f52452b5601e  corporate/4.0/SRPMS/php4-mbstring-4.4.4-1.2.20060mlcs4.src.rpm

CS4.0 i586

 2dfd22f70a79140151e37ffc650ce562  corporate/4.0/i586/libphp4_common4-4.4.4-1.10.20060mlcs4.i586.rpm
 1e7cfaacc2f0de74932c952002090c7e  corporate/4.0/i586/php4-cgi-4.4.4-1.10.20060mlcs4.i586.rpm
 70891521326ccf379ffcade515c07638  corporate/4.0/i586/php4-cli-4.4.4-1.10.20060mlcs4.i586.rpm
 e040b7271eeecdc71fa3d2bcb7da2bb6  corporate/4.0/i586/php4-curl-4.4.4-1.2.20060mlcs4.i586.rpm
 fe575f3f07a86d419eff519bde3510ea  corporate/4.0/i586/php4-devel-4.4.4-1.10.20060mlcs4.i586.rpm
 16fb016459d51d6455f0c51cd912efdb  corporate/4.0/i586/php4-mbstring-4.4.4-1.2.20060mlcs4.i586.rpm 
 4059cd9721229c87b25b6e4743f13c48  corporate/4.0/SRPMS/php4-4.4.4-1.10.20060mlcs4.src.rpm
 813154bf139d89573632a45437136e73  corporate/4.0/SRPMS/php4-curl-4.4.4-1.2.20060mlcs4.src.rpm
 2df4a7ca570808691586f52452b5601e  corporate/4.0/SRPMS/php4-mbstring-4.4.4-1.2.20060mlcs4.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5557
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4850