DSA-2403Executive Summary
| Summary | |
|---|---|
| Title | php5 security update |
| Informations | |||
|---|---|---|---|
| Name | DSA-2403 | First vendor Publication | 2012-02-02 |
| Vendor | Debian | Last vendor Modification | 2012-02-06 |
| Severity (Vendor) | N/A | Revision | 2 |
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentification | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
Stefan Esser discovered that the implementation of the max_input_vars configuration variable in a recent PHP security update was flawed such that it allows remote attackers to crash PHP or potentially execute code. This update adds packages for the oldstable distribution, which were missing from the original advisory. The problem has been fixed in version 5.2.6.dfsg.1-1+lenny16, installed into the security archive on 3 Feb 2012. For the stable distribution (squeeze), this problem has been fixed in version 5.3.3-7+squeeze7. For the unstable distribution (sid), this problem has been fixed in version 5.3.10-1. We recommend that you upgrade your php5 packages. |
Original Source
| Url : http://www.debian.org/security/2012/dsa-2403 |
CWE : Common Weakness Enumeration
| id | Name |
|---|---|
| CWE-399 | Resource Management Errors |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 |
(High)
