-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0088 Title: Multiple vulnerabilities fixed in php Version history: 25.07.2012 Initial publication Summary ======= Multiple vulnerabilities has been discovered and corrected in php. Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service. The updated packages have been upgraded to the 5.3.15 version which is not vulnerable to these issues. CVE-2012-3365 CVE-2012-2688 CVSS v2 Base Score: 10.0 (CRITICAL) (AV:N/AC:L/Au:N/C:C/I:C/A:C) [1] Vulnerable systems ================== Releases before 5.3.15 and 5.4.5 Original Details ================ Unspecified vulnerability in the _php_stream_scandir function in the stream implementation in PHP before 5.3.15 and 5.4.x before 5.4.5 has unknown impact and remote attack vectors, related to an "overflow." (CVE-2012-2688). The SQLite functionality in PHP before 5.3.15 allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors.(CVE-2012-3365) What can you do? ================ Fix is available [4] What to tell your users? ======================== N/A More information ================ [1] Information about CVSS: http://www.first.org/cvss/cvss-guide.html [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2688 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3365 [4] http://www.php.net/archive/2012.php#id2012-07-19-1 Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQECrbAAoJEPpzpNLI8SVo1PgP/1LjK2xQNdkusTdVw9m4wJ4N c8NJmAYgc6FIiUxEDbeYYlks0wPXcwsX53UAz+iETRxIBBf3MU0eqx4elOnaaS8z wnCbLUPFe3bQa/Dr3Wpr4VXQKprU1jhTk28txiHeKmhc9uJpUl0tLJ/HzDIyPKsc /uq22c9xbxJFR2wSEsYO1T+Pfjk/EgmrArDFHnWWAoDa6+RF2VS8+d2nADgf7JdC UarMtAMkSj2bK9cAUaxrjvFud1WQFwME6QrwPPDgnzGMzzb7OWAqwkOEXNarJfYv XSZ0rXC6EZcQHcptinOnm9Ihv74dyY/8qOFo+JSiX33WjoWi0H+UpCFSmoHuCg4c aMZARufVL41p+eyLaUOZxq5yw8CZGZ5Efl/SH6Zt6eW7U+bBhTh7b3cKqMcM2cqN 0gceNHmo1bPqI15JdBf2AWu60Oqc1vbp8SIaEd3Y9jmUzjca5RniNfzzIY/mNFko T2iqLIkk95g9ggVaCB7nrJuiwyytz8mYwIVQpXAwAmBkHeJkY8i84Uslo9+Y9fMg 3d6BFSKNO8Jr8OJ34VvMAhCZN7kwI6bjvpvZtAaUw6WnWIchQrYTGn0C/7juiPZb aA94qQ4FY6QBPTNA9wOG3NAHXP1z6JXOsE9QNslTA9A7wJHq7wSKpSZK0+GNBbIC aiXVJ0Ej5KIo8qgYDbd7 =9E0y -----END PGP SIGNATURE-----