[php-maint] Bug#671880: php5: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)
Henri Salo
henri at nerv.fi
Mon May 7 19:54:40 UTC 2012
Package: php5
Version: 5.4.2-1
Severity: important
Tags: security
http://seclists.org/oss-sec/2012/q2/249
quote:
Hi,
I guess most of you have heard of this one already, yet it should be in
here as well. The original issue was tracked as CERT VU#520827,
CVE-2012-1823. PHP 5.4.2 and 5.3.12 were released with an incomplete
fix, and apparently CVE-2012-2311 refers to that incomplete fix issue.
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html
http://www.kb.cert.org/vuls/id/520827
http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/
http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/
http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html
http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian)
Alexander
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.3.3-7+squeeze8 server-side, HTML-embedded scripti
ii php5-cgi 5.3.3-7+squeeze8 server-side, HTML-embedded scripti
ii php5-common 5.3.3-7+squeeze8 Common files for packages built fr
php5 recommends no packages.
php5 suggests no packages.
-- no debconf information
More information about the pkg-php-maint
mailing list