aru Posted April 4, 2006 Report Share Posted April 4, 2006 Mandriva Advisories MDKSA-2006:063 : php Updated php packages fix information disclosure vulnerability April 2nd, 2006 A vulnerability was discovered where the html_entity_decode() function would return a chunk of memory with length equal to the string supplied, which could include php code, php ini data, other user data, etc.Note that by default, Corporate 3.0 and Mandriva Linux LE2005 ship with magic_quotes_gpc on which seems to protect against this vulnerability "out of the box" but users are encourages to upgrade regardless. Once the upgraded packages have been installed, users will need to issue a "service httpd restart" in order for the fixed packages to be properly loaded. Updated packages have been patched to correct this issue. The released versions of Mandriva GNU/Linux affected are: CS3.0 MNF2.0 10.2 2006.0 Full information about this advisory, including the updated packages, is available at: wwwnew.mandriva.com/security/advisories?name=MDKSA-2006:063 Other references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1490 Posted automatically by aru (mdksec2mub v: mdksec2mub,v 0.15 2005/11/24 16:53:12 aru Exp aru $) Link to comment Share on other sites More sharing options...
Recommended Posts