|
|
| Problem Description |
A heap buffer overflow flaw was found in the xmlrpc extension for PHP.
A script that implements an XML-RPC server using this extension could
allow a remote attacker to execute arbitrary code as the apache user.
This flaw does not, however, affect PHP applications using the pure-PHP
XML_RPC class provided via PEAR (CVE-2007-1864).
A flaw was found in the ftp extension for PHP. A script using
this extension to provide access to a private FTP server and which
passed untrusted script input directly to any function provided by
this extension could allow a remote attacker to send arbitrary FTP
commands to the server (CVE-2007-2509).
Updated packages have been patched to prevent this issue.
| Updated Packages |
Corporate Server 3.0
166f0495b9bd984fc4b887a8920fe111 corporate/3.0/i586/libphp_common432-4.3.4-4.26.C30mdk.i586.rpm eba86c8d3254e046b3d065f4db7c0714 corporate/3.0/i586/php-cgi-4.3.4-4.26.C30mdk.i586.rpm 44248cbc77edc7772b36c1d95d78f7f4 corporate/3.0/i586/php-cli-4.3.4-4.26.C30mdk.i586.rpm 6c9425c5cdbd25d6ee6bdab6a102f96d corporate/3.0/i586/php-xmlrpc-4.3.4-1.1.C30mdk.i586.rpm bb4d89124e91f1aa872ad7f960210937 corporate/3.0/i586/php432-devel-4.3.4-4.26.C30mdk.i586.rpm 7964e9c606307c9af6c1a51160d41caa corporate/3.0/SRPMS/php-4.3.4-4.26.C30mdk.src.rpm 0e31d73b03b41014917630a78edd4055 corporate/3.0/SRPMS/php-xmlrpc-4.3.4-1.1.C30mdk.src.rpm
Corporate Server 3.0/X86_64
de5cd7123835dbe8d58d519661621b92 corporate/3.0/x86_64/lib64php_common432-4.3.4-4.26.C30mdk.x86_64.rpm bc7a35cb5360cf4a301a2f514ff1002d corporate/3.0/x86_64/php-cgi-4.3.4-4.26.C30mdk.x86_64.rpm 6fe331363e03e221bbbe8ddac95b24b7 corporate/3.0/x86_64/php-cli-4.3.4-4.26.C30mdk.x86_64.rpm d27234ec751507f56297eb7ad00246b2 corporate/3.0/x86_64/php-xmlrpc-4.3.4-1.1.C30mdk.x86_64.rpm b3717d84991db4ad6bc162b5713421a4 corporate/3.0/x86_64/php432-devel-4.3.4-4.26.C30mdk.x86_64.rpm 7964e9c606307c9af6c1a51160d41caa corporate/3.0/SRPMS/php-4.3.4-4.26.C30mdk.src.rpm 0e31d73b03b41014917630a78edd4055 corporate/3.0/SRPMS/php-xmlrpc-4.3.4-1.1.C30mdk.src.rpm
Multi Network Firewall 2.0
35dd2191d078e31f6c6da7b2025413bb mnf/2.0/i586/libphp_common432-4.3.4-4.26.M20mdk.i586.rpm a7f9e65aa53dfb437255840c0f98122d mnf/2.0/i586/php-cgi-4.3.4-4.26.M20mdk.i586.rpm e9337d663c42d7532ccaaa60905ee00d mnf/2.0/i586/php-cli-4.3.4-4.26.M20mdk.i586.rpm 74078881402c3e5066572779b8c49a66 mnf/2.0/i586/php432-devel-4.3.4-4.26.M20mdk.i586.rpm 738549167401da8b180447dfa41aa190 mnf/2.0/SRPMS/php-4.3.4-4.26.M20mdk.src.rpm
Corporate Server 4.0
21652b2fb396cce7991e6929bf4b7d87 corporate/4.0/i586/libphp4_common4-4.4.4-1.6.20060mlcs4.i586.rpm d93cc1f82bb7cea14228feeaf097d5ec corporate/4.0/i586/php4-cgi-4.4.4-1.6.20060mlcs4.i586.rpm 130c70025d28c6a5cdb4e198a0b3ae4f corporate/4.0/i586/php4-cli-4.4.4-1.6.20060mlcs4.i586.rpm 2892ae379e430c22a48724e46e1e74be corporate/4.0/i586/php4-devel-4.4.4-1.6.20060mlcs4.i586.rpm dcd1d9a26a05d0c2ec2f44f7312966cd corporate/4.0/i586/php4-xmlrpc-4.4.4-1.1.20060mlcs4.i586.rpm a30f364c6dcf21387dc2ccbe759053ee corporate/4.0/SRPMS/php4-4.4.4-1.6.20060mlcs4.src.rpm b4e817698d4ea91c75cb1c0709b9ca5e corporate/4.0/SRPMS/php4-xmlrpc-4.4.4-1.1.20060mlcs4.src.rpm
Corporate Server 4.0/X86_64
5e357a0f8a1c458b708904417ad1a758 corporate/4.0/x86_64/lib64php4_common4-4.4.4-1.6.20060mlcs4.x86_64.rpm 3256c4130a3f0004027ee817cb85902e corporate/4.0/x86_64/php4-cgi-4.4.4-1.6.20060mlcs4.x86_64.rpm a29fe77e87c30df6f910340923d6c21c corporate/4.0/x86_64/php4-cli-4.4.4-1.6.20060mlcs4.x86_64.rpm d14a7f38f36e4331107215a8f45d1b67 corporate/4.0/x86_64/php4-devel-4.4.4-1.6.20060mlcs4.x86_64.rpm ad13c17cc2de7783913e77114361e639 corporate/4.0/x86_64/php4-xmlrpc-4.4.4-1.1.20060mlcs4.x86_64.rpm a30f364c6dcf21387dc2ccbe759053ee corporate/4.0/SRPMS/php4-4.4.4-1.6.20060mlcs4.src.rpm b4e817698d4ea91c75cb1c0709b9ca5e corporate/4.0/SRPMS/php4-xmlrpc-4.4.4-1.1.20060mlcs4.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2509
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.