RHSA-2011-0195: php

NASLDB: RHSA-2011-0195: php

General

ID: 51866
Name: RHSA-2011-0195: php

Summary: Check for the version of the php packages

Credits: Tenable Network Security, Inc.

Classification

Risk: –

CVSS: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS Base Vector: –
CVSS Temporal Vector: –

Port: 0
Family: Red Hat Local Security Checks
Type: Local

Description

Updated php packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

A flaw was found in the way PHP converted certain floating point values
from string representation to a number. If a PHP script evaluated an
attacker\‘s input in a numeric context, the PHP interpreter could cause high
CPU usage until the script execution time limit is reached. This issue only
affected i386 systems. (CVE-2010-4645)

A numeric truncation error and an input validation flaw were found in the
way the PHP utf8_decode() function decoded partial multi-byte sequences
for some multi-byte encodings, sending them to output without them being
escaped. An attacker could use these flaws to perform a cross-site
scripting attack. (CVE-2009-5016, CVE-2010-3870)

A NULL pointer dereference flaw was found in the PHP
ZipArchive::getArchiveComment function. If a script used this function to
inspect a specially-crafted ZIP archive file, it could cause the PHP
interpreter to crash. (CVE-2010-3709)

All php users should upgrade to these updated packages, which contain
backported patches to resolve these issues. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.