From bc285bcc978f61251e02162e110ac8069fafce69 Mon Sep 17 00:00:00 2001 From: Stefan Fritsch Date: Mon, 28 May 2007 16:55:51 +0000 Subject: release php4 and php5 DTSAs git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@5941 e39458fd-73e7-0310-bf30-c45bca0a0e42 --- data/DTSA/advs/39-php5.adv | 97 +++++++++++++++++++++++++++++++++++++++++++++ data/DTSA/advs/39-samba.adv | 33 --------------- data/DTSA/advs/40-php4.adv | 2 +- data/DTSA/advs/41-php5.adv | 97 --------------------------------------------- data/DTSA/advs/41-samba.adv | 33 +++++++++++++++ 5 files changed, 131 insertions(+), 131 deletions(-) create mode 100644 data/DTSA/advs/39-php5.adv delete mode 100644 data/DTSA/advs/39-samba.adv delete mode 100644 data/DTSA/advs/41-php5.adv create mode 100644 data/DTSA/advs/41-samba.adv (limited to 'data/DTSA/advs') diff --git a/data/DTSA/advs/39-php5.adv b/data/DTSA/advs/39-php5.adv new file mode 100644 index 0000000000..32ce0180a2 --- /dev/null +++ b/data/DTSA/advs/39-php5.adv @@ -0,0 +1,97 @@ +source: php5 +date: May 28th, 2007 +author: Stefan Fritsch +vuln-type: several vulnerabilities +problem-scope: remote +debian-specifc: no +cve: CVE-2007-1286 CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1700 CVE-2007-1718 CVE-2007-1777 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 CVE-2007-1900 CVE-2007-2509 CVE-2007-2510 CVE-2007-2511 +vendor-advisory: +testing-fix: 5.2.0-10+lenny1 +sid-fix: 5.2.2-1 +upgrade: apt-get upgrade + +Several remote vulnerabilities have been discovered in PHP, a +server-side, HTML-embedded scripting language, which may lead to the +execution of arbitrary code. The Common Vulnerabilities and Exposures +project identifies the following problems: + +CVE-2007-1286 + Stefan Esser discovered an overflow in the object reference handling + code of the unserialize() function, which allows the execution of + arbitrary code if malformed input is passed from an application. + +CVE-2007-1375 + Stefan Esser discovered that an integer overflow in the substr_compare() + function allows information disclosure of heap memory. + +CVE-2007-1376 + Stefan Esser discovered that insufficient validation of shared memory + functions allows the disclosure of heap memory. + +CVE-2007-1380 + Stefan Esser discovered that the session handler performs + insufficient validation of variable name length values, which allows + information disclosure through a heap information leak. + +CVE-2007-1453 + Stefan Esser discovered that the filtering framework performs insufficient + input validation, which allows the execution of arbitrary code through a + buffer underflow. + +CVE-2007-1454 + Stefan Esser discovered that the filtering framework can be bypassed + with a special whitespace character. + +CVE-2007-1521 + Stefan Esser discovered a double free vulnerability in the + session_regenerate_id() function, which allows the execution of + arbitrary code. + +CVE-2007-1583 + Stefan Esser discovered that a programming error in the mb_parse_str() + function allows the activation of "register_globals". + +CVE-2007-1700 + Stefan Esser discovered that the session extension incorrectly maintains + the reference count of session variables, which allows the execution of + arbitrary code. + +CVE-2007-1718 + Stefan Esser discovered that the mail() function performs + insufficient validation of folded mail headers, which allows mail + header injection. + +CVE-2007-1777 + Stefan Esser discovered that the extension to handle ZIP archives + performs insufficient length checks, which allows the execution of + arbitrary code. + +CVE-2007-1824 + Stefan Esser discovered an off-by-one in the filtering framework, which + allows the execution of arbitrary code. + +CVE-2007-1887 + Stefan Esser discovered that a buffer overflow in the sqlite extension + allows the execution of arbitrary code. + +CVE-2007-1889 + Stefan Esser discovered that the PHP memory manager performs an + incorrect type cast, which allows the execution of arbitrary code + through buffer overflows. + +CVE-2007-1900 + Stefan Esser discovered that incorrect validation in the email filter + extension allowed the injection of mail headers. + +CVE-2007-2509 + It was discovered that missing input sanitising inside the ftp + extension permits an attacker to execute arbitrary FTP commands. + This requires the attacker to already have access to the FTP + server. + +CVE-2007-2510 + It was discovered that a buffer overflow in the SOAP extension permits + the execution of arbitrary code. + +CVE-2007-2511 + A buffer overflow was discovered in the user_filter_factory_create. diff --git a/data/DTSA/advs/39-samba.adv b/data/DTSA/advs/39-samba.adv deleted file mode 100644 index 5f16c25f23..0000000000 --- a/data/DTSA/advs/39-samba.adv +++ /dev/null @@ -1,33 +0,0 @@ -source: samba -date: May 22th, 2007 -author: Stefan Fritsch -vuln-type: several vulnerabilities -problem-scope: remote -debian-specifc: no -cve: CVE-2007-2444 CVE-2007-2446 CVE-2007-2447 -vendor-advisory: -testing-fix: 3.0.24-6+lenny2 -sid-fix: 3.0.25-1 -upgrade: apt-get upgrade - -Several issues have been identified in Samba, the SMB/CIFS file- and -print-server implementation for GNU/Linux. - -CVE-2007-2444 - -When translating SIDs to/from names using Samba local list of user and group -accounts, a logic error in the smbd daemon's internal security stack may result -in a transition to the root user id rather than the non-root user. The user is -then able to temporarily issue SMB/CIFS protocol operations as the root user. -This window of opportunity may allow the attacker to establish addition means -of gaining root access to the server. - -CVE-2007-2446 - -Various bugs in Samba's NDR parsing can allow a user to send specially crafted -MS-RPC requests that will overwrite the heap space with user defined data. - -CVE-2007-2447 - -Unescaped user input parameters are passed as arguments to /bin/sh allowing for -remote command execution. diff --git a/data/DTSA/advs/40-php4.adv b/data/DTSA/advs/40-php4.adv index d876541530..4552f2b322 100644 --- a/data/DTSA/advs/40-php4.adv +++ b/data/DTSA/advs/40-php4.adv @@ -1,5 +1,5 @@ source: php4 -date: May 24th, 2007 +date: May 28th, 2007 author: Stefan Fritsch vuln-type: several vulnerabilities problem-scope: remote diff --git a/data/DTSA/advs/41-php5.adv b/data/DTSA/advs/41-php5.adv deleted file mode 100644 index 8d07431f49..0000000000 --- a/data/DTSA/advs/41-php5.adv +++ /dev/null @@ -1,97 +0,0 @@ -source: php5 -date: May 26th, 2007 -author: Stefan Fritsch -vuln-type: several vulnerabilities -problem-scope: remote -debian-specifc: no -cve: CVE-2007-1286 CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1700 CVE-2007-1718 CVE-2007-1777 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 CVE-2007-1900 CVE-2007-2509 CVE-2007-2510 CVE-2007-2511 -vendor-advisory: -testing-fix: 5.2.0-10+lenny1 -sid-fix: 5.2.2-1 -upgrade: apt-get upgrade - -Several remote vulnerabilities have been discovered in PHP, a -server-side, HTML-embedded scripting language, which may lead to the -execution of arbitrary code. The Common Vulnerabilities and Exposures -project identifies the following problems: - -CVE-2007-1286 - Stefan Esser discovered an overflow in the object reference handling - code of the unserialize() function, which allows the execution of - arbitrary code if malformed input is passed from an application. - -CVE-2007-1375 - Stefan Esser discovered that an integer overflow in the substr_compare() - function allows information disclosure of heap memory. - -CVE-2007-1376 - Stefan Esser discovered that insufficient validation of shared memory - functions allows the disclosure of heap memory. - -CVE-2007-1380 - Stefan Esser discovered that the session handler performs - insufficient validation of variable name length values, which allows - information disclosure through a heap information leak. - -CVE-2007-1453 - Stefan Esser discovered that the filtering framework performs insufficient - input validation, which allows the execution of arbitrary code through a - buffer underflow. - -CVE-2007-1454 - Stefan Esser discovered that the filtering framework can be bypassed - with a special whitespace character. - -CVE-2007-1521 - Stefan Esser discovered a double free vulnerability in the - session_regenerate_id() function, which allows the execution of - arbitrary code. - -CVE-2007-1583 - Stefan Esser discovered that a programming error in the mb_parse_str() - function allows the activation of "register_globals". - -CVE-2007-1700 - Stefan Esser discovered that the session extension incorrectly maintains - the reference count of session variables, which allows the execution of - arbitrary code. - -CVE-2007-1718 - Stefan Esser discovered that the mail() function performs - insufficient validation of folded mail headers, which allows mail - header injection. - -CVE-2007-1777 - Stefan Esser discovered that the extension to handle ZIP archives - performs insufficient length checks, which allows the execution of - arbitrary code. - -CVE-2007-1824 - Stefan Esser discovered an off-by-one in the filtering framework, which - allows the execution of arbitrary code. - -CVE-2007-1887 - Stefan Esser discovered that a buffer overflow in the sqlite extension - allows the execution of arbitrary code. - -CVE-2007-1889 - Stefan Esser discovered that the PHP memory manager performs an - incorrect type cast, which allows the execution of arbitrary code - through buffer overflows. - -CVE-2007-1900 - Stefan Esser discovered that incorrect validation in the email filter - extension allowed the injection of mail headers. - -CVE-2007-2509 - It was discovered that missing input sanitising inside the ftp - extension permits an attacker to execute arbitrary FTP commands. - This requires the attacker to already have access to the FTP - server. - -CVE-2007-2510 - It was discovered that a buffer overflow in the SOAP extension permits - the execution of arbitrary code. - -CVE-2007-2511 - A buffer overflow was discovered in the user_filter_factory_create. diff --git a/data/DTSA/advs/41-samba.adv b/data/DTSA/advs/41-samba.adv new file mode 100644 index 0000000000..5f16c25f23 --- /dev/null +++ b/data/DTSA/advs/41-samba.adv @@ -0,0 +1,33 @@ +source: samba +date: May 22th, 2007 +author: Stefan Fritsch +vuln-type: several vulnerabilities +problem-scope: remote +debian-specifc: no +cve: CVE-2007-2444 CVE-2007-2446 CVE-2007-2447 +vendor-advisory: +testing-fix: 3.0.24-6+lenny2 +sid-fix: 3.0.25-1 +upgrade: apt-get upgrade + +Several issues have been identified in Samba, the SMB/CIFS file- and +print-server implementation for GNU/Linux. + +CVE-2007-2444 + +When translating SIDs to/from names using Samba local list of user and group +accounts, a logic error in the smbd daemon's internal security stack may result +in a transition to the root user id rather than the non-root user. The user is +then able to temporarily issue SMB/CIFS protocol operations as the root user. +This window of opportunity may allow the attacker to establish addition means +of gaining root access to the server. + +CVE-2007-2446 + +Various bugs in Samba's NDR parsing can allow a user to send specially crafted +MS-RPC requests that will overwrite the heap space with user defined data. + +CVE-2007-2447 + +Unescaped user input parameters are passed as arguments to /bin/sh allowing for +remote command execution. -- cgit v1.2.3