Security update for PHP5

SUSE Security Update: Security update for PHP5
Announcement ID: SUSE-SU-2012:0496-1
Rating: important
References: #699711 #709549 #713652 #728671 #733590 #735613 #736169 #738221 #741520 #741859 #742273 #742806 #743308 #744966 #746661 #749111
Affected Products:
  • SUSE Linux Enterprise Software Development Kit 11 SP2
  • SUSE Linux Enterprise Software Development Kit 11 SP1
  • SUSE Linux Enterprise Server 11 SP2
  • SUSE Linux Enterprise Server 11 SP1 for VMware
  • SUSE Linux Enterprise Server 11 SP1

  • An update that solves 14 vulnerabilities and has two fixes is now available. It includes one version update.

    Description:


    This update of php5 fixes multiple security flaws:

    * CVE-2011-2202: A php5 upload filename injection was
    fixed.
    * CVE-2011-4566: A integer overflow in the EXIF
    extension was fixed that could be used by attackers to
    crash the interpreter or potentially read memory
    * CVE-2011-3182: Multiple NULL pointer dereferences
    were fixed that could lead to crashes
    * CVE-2011-1466: An integer overflow in the PHP
    calendar extension was fixed that could have led to crashes.
    * CVE-2011-1072: A symlink vulnerability in the PEAR
    installer could be exploited by local attackers to inject
    code.
    * CVE-2011-4153: missing checks of return values could
    allow remote attackers to cause a denial of service (NULL
    pointer dereference)
    * CVE-2011-4885: denial of service via hash collisions
    * CVE-2012-0057: specially crafted XSLT stylesheets
    could allow remote attackers to create arbitrary files with
    arbitrary content
    * CVE-2012-0781: remote attackers can cause a denial of
    service via specially crafted input to an application that
    attempts to perform Tidy::diagnose operations
    * CVE-2012-0788: applications that use a PDO driver
    were prone to denial of service flaws which could be
    exploited remotely
    * CVE-2012-0789: memory leak in the timezone
    functionality could allow remote attackers to cause a
    denial of service (memory consumption)
    * CVE-2012-0807: a stack based buffer overflow in the
    php5 Suhosin extension could allow remote attackers to
    execute arbitrary code via a long string that is used in a
    Set-Cookie HTTP header
    * CVE-2012-0830: this fixes an incorrect fix for
    CVE-2011-4885 which could allow remote attackers to execute
    arbitrary code via a request containing a large number of
    variables
    * CVE-2012-0831: temporary changes to the
    magic_quotes_gpc directive during the importing of
    environment variables is not properly performed which makes
    it easier for remote attackers to conduct SQL injections

    Also the following bugs have been fixed:

    * allow uploading files bigger than 2GB for 64bit
    systems [bnc#709549]
    * amend README.SUSE to discourage using apache module
    with apache2-worker [bnc#728671]

    Security Issue references:

    * CVE-2011-2202
    >
    * CVE-2011-4153
    >
    * CVE-2011-4885
    >
    * CVE-2012-0057
    >
    * CVE-2012-0781
    >
    * CVE-2012-0788
    >
    * CVE-2012-0789
    >
    * CVE-2012-0807
    >
    * CVE-2012-0830
    >
    * CVE-2012-0831
    >
    * CVE-2011-4566
    >
    * CVE-2011-3182
    >
    * CVE-2011-1466
    >
    * CVE-2011-1072
    >

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Software Development Kit 11 SP2:
      zypper in -t patch sdksp1-apache2-mod_php5-5964
    • SUSE Linux Enterprise Software Development Kit 11 SP1:
      zypper in -t patch sdksp1-apache2-mod_php5-5964
    • SUSE Linux Enterprise Server 11 SP2:
      zypper in -t patch slessp1-apache2-mod_php5-5964
    • SUSE Linux Enterprise Server 11 SP1 for VMware:
      zypper in -t patch slessp1-apache2-mod_php5-5964
    • SUSE Linux Enterprise Server 11 SP1:
      zypper in -t patch slessp1-apache2-mod_php5-5964

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:
    • php5-devel-5.2.14-0.7.30.34.1
    • php5-imap-5.2.14-0.7.30.34.1
    • php5-ncurses-5.2.14-0.7.30.34.1
    • php5-posix-5.2.14-0.7.30.34.1
    • php5-readline-5.2.14-0.7.30.34.1
    • php5-sockets-5.2.14-0.7.30.34.1
    • php5-sqlite-5.2.14-0.7.30.34.1
    • php5-tidy-5.2.14-0.7.30.34.1
    • SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64) [New Version: 5.2.14]:
    • apache2-mod_php5-5.2.14-0.7.30.34.1
    • php5-5.2.14-0.7.30.34.1
    • php5-bcmath-5.2.14-0.7.30.34.1
    • php5-bz2-5.2.14-0.7.30.34.1
    • php5-calendar-5.2.14-0.7.30.34.1
    • php5-ctype-5.2.14-0.7.30.34.1
    • php5-curl-5.2.14-0.7.30.34.1
    • php5-dba-5.2.14-0.7.30.34.1
    • php5-dbase-5.2.14-0.7.30.34.1
    • php5-dom-5.2.14-0.7.30.34.1
    • php5-exif-5.2.14-0.7.30.34.1
    • php5-fastcgi-5.2.14-0.7.30.34.1
    • php5-ftp-5.2.14-0.7.30.34.1
    • php5-gd-5.2.14-0.7.30.34.1
    • php5-gettext-5.2.14-0.7.30.34.1
    • php5-gmp-5.2.14-0.7.30.34.1
    • php5-hash-5.2.14-0.7.30.34.1
    • php5-iconv-5.2.14-0.7.30.34.1
    • php5-json-5.2.14-0.7.30.34.1
    • php5-ldap-5.2.14-0.7.30.34.1
    • php5-mbstring-5.2.14-0.7.30.34.1
    • php5-mcrypt-5.2.14-0.7.30.34.1
    • php5-mysql-5.2.14-0.7.30.34.1
    • php5-odbc-5.2.14-0.7.30.34.1
    • php5-openssl-5.2.14-0.7.30.34.1
    • php5-pcntl-5.2.14-0.7.30.34.1
    • php5-pdo-5.2.14-0.7.30.34.1
    • php5-pear-5.2.14-0.7.30.34.1
    • php5-pgsql-5.2.14-0.7.30.34.1
    • php5-pspell-5.2.14-0.7.30.34.1
    • php5-shmop-5.2.14-0.7.30.34.1
    • php5-snmp-5.2.14-0.7.30.34.1
    • php5-soap-5.2.14-0.7.30.34.1
    • php5-suhosin-5.2.14-0.7.30.34.1
    • php5-sysvmsg-5.2.14-0.7.30.34.1
    • php5-sysvsem-5.2.14-0.7.30.34.1
    • php5-sysvshm-5.2.14-0.7.30.34.1
    • php5-tokenizer-5.2.14-0.7.30.34.1
    • php5-wddx-5.2.14-0.7.30.34.1
    • php5-xmlreader-5.2.14-0.7.30.34.1
    • php5-xmlrpc-5.2.14-0.7.30.34.1
    • php5-xmlwriter-5.2.14-0.7.30.34.1
    • php5-xsl-5.2.14-0.7.30.34.1
    • php5-zip-5.2.14-0.7.30.34.1
    • php5-zlib-5.2.14-0.7.30.34.1
    • SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:
    • php5-devel-5.2.14-0.7.30.34.1
    • php5-imap-5.2.14-0.7.30.34.1
    • php5-ncurses-5.2.14-0.7.30.34.1
    • php5-posix-5.2.14-0.7.30.34.1
    • php5-readline-5.2.14-0.7.30.34.1
    • php5-sockets-5.2.14-0.7.30.34.1
    • php5-sqlite-5.2.14-0.7.30.34.1
    • php5-tidy-5.2.14-0.7.30.34.1
    • SUSE Linux Enterprise Software Development Kit 11 SP1 (i586 x86_64) [New Version: 5.2.14]:
    • apache2-mod_php5-5.2.14-0.7.30.34.1
    • php5-5.2.14-0.7.30.34.1
    • php5-bcmath-5.2.14-0.7.30.34.1
    • php5-bz2-5.2.14-0.7.30.34.1
    • php5-calendar-5.2.14-0.7.30.34.1
    • php5-ctype-5.2.14-0.7.30.34.1
    • php5-curl-5.2.14-0.7.30.34.1
    • php5-dba-5.2.14-0.7.30.34.1
    • php5-dbase-5.2.14-0.7.30.34.1
    • php5-dom-5.2.14-0.7.30.34.1
    • php5-exif-5.2.14-0.7.30.34.1
    • php5-fastcgi-5.2.14-0.7.30.34.1
    • php5-ftp-5.2.14-0.7.30.34.1
    • php5-gd-5.2.14-0.7.30.34.1
    • php5-gettext-5.2.14-0.7.30.34.1
    • php5-gmp-5.2.14-0.7.30.34.1
    • php5-hash-5.2.14-0.7.30.34.1
    • php5-iconv-5.2.14-0.7.30.34.1
    • php5-json-5.2.14-0.7.30.34.1
    • php5-ldap-5.2.14-0.7.30.34.1
    • php5-mbstring-5.2.14-0.7.30.34.1
    • php5-mcrypt-5.2.14-0.7.30.34.1
    • php5-mysql-5.2.14-0.7.30.34.1
    • php5-odbc-5.2.14-0.7.30.34.1
    • php5-openssl-5.2.14-0.7.30.34.1
    • php5-pcntl-5.2.14-0.7.30.34.1
    • php5-pdo-5.2.14-0.7.30.34.1
    • php5-pear-5.2.14-0.7.30.34.1
    • php5-pgsql-5.2.14-0.7.30.34.1
    • php5-pspell-5.2.14-0.7.30.34.1
    • php5-shmop-5.2.14-0.7.30.34.1
    • php5-snmp-5.2.14-0.7.30.34.1
    • php5-soap-5.2.14-0.7.30.34.1
    • php5-suhosin-5.2.14-0.7.30.34.1
    • php5-sysvmsg-5.2.14-0.7.30.34.1
    • php5-sysvsem-5.2.14-0.7.30.34.1
    • php5-sysvshm-5.2.14-0.7.30.34.1
    • php5-tokenizer-5.2.14-0.7.30.34.1
    • php5-wddx-5.2.14-0.7.30.34.1
    • php5-xmlreader-5.2.14-0.7.30.34.1
    • php5-xmlrpc-5.2.14-0.7.30.34.1
    • php5-xmlwriter-5.2.14-0.7.30.34.1
    • php5-xsl-5.2.14-0.7.30.34.1
    • php5-zip-5.2.14-0.7.30.34.1
    • php5-zlib-5.2.14-0.7.30.34.1
    • SUSE Linux Enterprise Server 11 SP2 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:
    • apache2-mod_php5-5.2.14-0.7.30.34.1
    • php5-5.2.14-0.7.30.34.1
    • php5-bcmath-5.2.14-0.7.30.34.1
    • php5-bz2-5.2.14-0.7.30.34.1
    • php5-calendar-5.2.14-0.7.30.34.1
    • php5-ctype-5.2.14-0.7.30.34.1
    • php5-curl-5.2.14-0.7.30.34.1
    • php5-dba-5.2.14-0.7.30.34.1
    • php5-dbase-5.2.14-0.7.30.34.1
    • php5-dom-5.2.14-0.7.30.34.1
    • php5-exif-5.2.14-0.7.30.34.1
    • php5-fastcgi-5.2.14-0.7.30.34.1
    • php5-ftp-5.2.14-0.7.30.34.1
    • php5-gd-5.2.14-0.7.30.34.1
    • php5-gettext-5.2.14-0.7.30.34.1
    • php5-gmp-5.2.14-0.7.30.34.1
    • php5-hash-5.2.14-0.7.30.34.1
    • php5-iconv-5.2.14-0.7.30.34.1
    • php5-json-5.2.14-0.7.30.34.1
    • php5-ldap-5.2.14-0.7.30.34.1
    • php5-mbstring-5.2.14-0.7.30.34.1
    • php5-mcrypt-5.2.14-0.7.30.34.1
    • php5-mysql-5.2.14-0.7.30.34.1
    • php5-odbc-5.2.14-0.7.30.34.1
    • php5-openssl-5.2.14-0.7.30.34.1
    • php5-pcntl-5.2.14-0.7.30.34.1
    • php5-pdo-5.2.14-0.7.30.34.1
    • php5-pear-5.2.14-0.7.30.34.1
    • php5-pgsql-5.2.14-0.7.30.34.1
    • php5-pspell-5.2.14-0.7.30.34.1
    • php5-shmop-5.2.14-0.7.30.34.1
    • php5-snmp-5.2.14-0.7.30.34.1
    • php5-soap-5.2.14-0.7.30.34.1
    • php5-suhosin-5.2.14-0.7.30.34.1
    • php5-sysvmsg-5.2.14-0.7.30.34.1
    • php5-sysvsem-5.2.14-0.7.30.34.1
    • php5-sysvshm-5.2.14-0.7.30.34.1
    • php5-tokenizer-5.2.14-0.7.30.34.1
    • php5-wddx-5.2.14-0.7.30.34.1
    • php5-xmlreader-5.2.14-0.7.30.34.1
    • php5-xmlrpc-5.2.14-0.7.30.34.1
    • php5-xmlwriter-5.2.14-0.7.30.34.1
    • php5-xsl-5.2.14-0.7.30.34.1
    • php5-zip-5.2.14-0.7.30.34.1
    • php5-zlib-5.2.14-0.7.30.34.1
    • SUSE Linux Enterprise Server 11 SP1 for VMware (i586 x86_64) [New Version: 5.2.14]:
    • apache2-mod_php5-5.2.14-0.7.30.34.1
    • php5-5.2.14-0.7.30.34.1
    • php5-bcmath-5.2.14-0.7.30.34.1
    • php5-bz2-5.2.14-0.7.30.34.1
    • php5-calendar-5.2.14-0.7.30.34.1
    • php5-ctype-5.2.14-0.7.30.34.1
    • php5-curl-5.2.14-0.7.30.34.1
    • php5-dba-5.2.14-0.7.30.34.1
    • php5-dbase-5.2.14-0.7.30.34.1
    • php5-dom-5.2.14-0.7.30.34.1
    • php5-exif-5.2.14-0.7.30.34.1
    • php5-fastcgi-5.2.14-0.7.30.34.1
    • php5-ftp-5.2.14-0.7.30.34.1
    • php5-gd-5.2.14-0.7.30.34.1
    • php5-gettext-5.2.14-0.7.30.34.1
    • php5-gmp-5.2.14-0.7.30.34.1
    • php5-hash-5.2.14-0.7.30.34.1
    • php5-iconv-5.2.14-0.7.30.34.1
    • php5-json-5.2.14-0.7.30.34.1
    • php5-ldap-5.2.14-0.7.30.34.1
    • php5-mbstring-5.2.14-0.7.30.34.1
    • php5-mcrypt-5.2.14-0.7.30.34.1
    • php5-mysql-5.2.14-0.7.30.34.1
    • php5-odbc-5.2.14-0.7.30.34.1
    • php5-openssl-5.2.14-0.7.30.34.1
    • php5-pcntl-5.2.14-0.7.30.34.1
    • php5-pdo-5.2.14-0.7.30.34.1
    • php5-pear-5.2.14-0.7.30.34.1
    • php5-pgsql-5.2.14-0.7.30.34.1
    • php5-pspell-5.2.14-0.7.30.34.1
    • php5-shmop-5.2.14-0.7.30.34.1
    • php5-snmp-5.2.14-0.7.30.34.1
    • php5-soap-5.2.14-0.7.30.34.1
    • php5-suhosin-5.2.14-0.7.30.34.1
    • php5-sysvmsg-5.2.14-0.7.30.34.1
    • php5-sysvsem-5.2.14-0.7.30.34.1
    • php5-sysvshm-5.2.14-0.7.30.34.1
    • php5-tokenizer-5.2.14-0.7.30.34.1
    • php5-wddx-5.2.14-0.7.30.34.1
    • php5-xmlreader-5.2.14-0.7.30.34.1
    • php5-xmlrpc-5.2.14-0.7.30.34.1
    • php5-xmlwriter-5.2.14-0.7.30.34.1
    • php5-xsl-5.2.14-0.7.30.34.1
    • php5-zip-5.2.14-0.7.30.34.1
    • php5-zlib-5.2.14-0.7.30.34.1
    • SUSE Linux Enterprise Server 11 SP1 (i586 ia64 ppc64 s390x x86_64) [New Version: 5.2.14]:
    • apache2-mod_php5-5.2.14-0.7.30.34.1
    • php5-5.2.14-0.7.30.34.1
    • php5-bcmath-5.2.14-0.7.30.34.1
    • php5-bz2-5.2.14-0.7.30.34.1
    • php5-calendar-5.2.14-0.7.30.34.1
    • php5-ctype-5.2.14-0.7.30.34.1
    • php5-curl-5.2.14-0.7.30.34.1
    • php5-dba-5.2.14-0.7.30.34.1
    • php5-dbase-5.2.14-0.7.30.34.1
    • php5-dom-5.2.14-0.7.30.34.1
    • php5-exif-5.2.14-0.7.30.34.1
    • php5-fastcgi-5.2.14-0.7.30.34.1
    • php5-ftp-5.2.14-0.7.30.34.1
    • php5-gd-5.2.14-0.7.30.34.1
    • php5-gettext-5.2.14-0.7.30.34.1
    • php5-gmp-5.2.14-0.7.30.34.1
    • php5-hash-5.2.14-0.7.30.34.1
    • php5-iconv-5.2.14-0.7.30.34.1
    • php5-json-5.2.14-0.7.30.34.1
    • php5-ldap-5.2.14-0.7.30.34.1
    • php5-mbstring-5.2.14-0.7.30.34.1
    • php5-mcrypt-5.2.14-0.7.30.34.1
    • php5-mysql-5.2.14-0.7.30.34.1
    • php5-odbc-5.2.14-0.7.30.34.1
    • php5-openssl-5.2.14-0.7.30.34.1
    • php5-pcntl-5.2.14-0.7.30.34.1
    • php5-pdo-5.2.14-0.7.30.34.1
    • php5-pear-5.2.14-0.7.30.34.1
    • php5-pgsql-5.2.14-0.7.30.34.1
    • php5-pspell-5.2.14-0.7.30.34.1
    • php5-shmop-5.2.14-0.7.30.34.1
    • php5-snmp-5.2.14-0.7.30.34.1
    • php5-soap-5.2.14-0.7.30.34.1
    • php5-suhosin-5.2.14-0.7.30.34.1
    • php5-sysvmsg-5.2.14-0.7.30.34.1
    • php5-sysvsem-5.2.14-0.7.30.34.1
    • php5-sysvshm-5.2.14-0.7.30.34.1
    • php5-tokenizer-5.2.14-0.7.30.34.1
    • php5-wddx-5.2.14-0.7.30.34.1
    • php5-xmlreader-5.2.14-0.7.30.34.1
    • php5-xmlrpc-5.2.14-0.7.30.34.1
    • php5-xmlwriter-5.2.14-0.7.30.34.1
    • php5-xsl-5.2.14-0.7.30.34.1
    • php5-zip-5.2.14-0.7.30.34.1
    • php5-zlib-5.2.14-0.7.30.34.1

    References:

    • http://support.novell.com/security/cve/CVE-2011-1072.html
    • http://support.novell.com/security/cve/CVE-2011-1466.html
    • http://support.novell.com/security/cve/CVE-2011-2202.html
    • http://support.novell.com/security/cve/CVE-2011-3182.html
    • http://support.novell.com/security/cve/CVE-2011-4153.html
    • http://support.novell.com/security/cve/CVE-2011-4566.html
    • http://support.novell.com/security/cve/CVE-2011-4885.html
    • http://support.novell.com/security/cve/CVE-2012-0057.html
    • http://support.novell.com/security/cve/CVE-2012-0781.html
    • http://support.novell.com/security/cve/CVE-2012-0788.html
    • http://support.novell.com/security/cve/CVE-2012-0789.html
    • http://support.novell.com/security/cve/CVE-2012-0807.html
    • http://support.novell.com/security/cve/CVE-2012-0830.html
    • http://support.novell.com/security/cve/CVE-2012-0831.html
    • https://bugzilla.novell.com/699711
    • https://bugzilla.novell.com/709549
    • https://bugzilla.novell.com/713652
    • https://bugzilla.novell.com/728671
    • https://bugzilla.novell.com/733590
    • https://bugzilla.novell.com/735613
    • https://bugzilla.novell.com/736169
    • https://bugzilla.novell.com/738221
    • https://bugzilla.novell.com/741520
    • https://bugzilla.novell.com/741859
    • https://bugzilla.novell.com/742273
    • https://bugzilla.novell.com/742806
    • https://bugzilla.novell.com/743308
    • https://bugzilla.novell.com/744966
    • https://bugzilla.novell.com/746661
    • https://bugzilla.novell.com/749111
    • http://download.suse.com/patch/finder/?keywords=778ae960c062031cb692b8c0c4a67400