[ MDVSA-2009:248 ] php

[dude67]

_______________________________________________________________________

Package : php
Date : September 25, 2009
Affected: 2009.1
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities was discovered and corrected in php:

The php_openssl_apply_verification_policy function in PHP before
5.2.11 does not properly perform certificate validation, which has
unknown impact and attack vectors, probably related to an ability to
spoof certificates (CVE-2009-3291).

Unspecified vulnerability in PHP before 5.2.11 has unknown impact
and attack vectors related to missing sanity checks around exif
processing. (CVE-2009-3292)

Unspecified vulnerability in the imagecolortransparent function in
PHP before 5.2.11 has unknown impact and attack vectors related to an
incorrect sanity check for the color index. (CVE-2009-3293). However
in Mandriva we don't use the bundled libgd source in php per default,
there is a unsupported package in contrib named php-gd-bundled that
eventually will get updated to pickup these fixes.

This update provides a solution to these vulnerabilities.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3291
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3292
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-3293
_______________________________________________________________________