Executive Summary

Summary
Title PHP vulnerability
Informations
Name USN-66-2 First vendor Publication 2005-02-17
Vendor Ubuntu Last vendor Modification 2005-02-17
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

libapache2-mod-php4 php4-cgi php4-curl

The problem can be corrected by upgrading the affected package to version 4:4.3.8-3ubuntu7.4. In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Ubuntu Security Notice USN-66-1 described a circumvention of the "open_basedir" restriction by using the cURL module. Adam Conrad discovered that the fix from USN-66-1 still allowed to bypass this restriction with certain variants of path specifications.

In addition this update fixes the crash of the PHP interpreter if curl_init() was called without parameters.

For reference, this is the relevant part of the original advisory:

FraMe from kernelpanik.org reported that the cURL module does not
respect open_basedir restrictions. As a result, scripts which used
cURL to open files with an user-specified path could read arbitrary
local files outside of the open_basedir directory.

Original Source

Url : http://www.ubuntu.com/usn/USN-66-2

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:05:22
  • Multiple Updates