openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2011:1138-1)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

The blowfish password hashing implementation did not properly handle
8-characters in passwords, which made it easier for attackers to crack
the hash (CVE-2011-2483). After this update existing hashes with id
'$2a$' for passwords that contain 8-bit characters will no longer be
compatible with newly generated hashes. Affected users will either
have to change their password to store a new hash or the id of the
existing hash has to be manually changed to '$2x$' in order to
activate a compat mode. Please see the description of the
CVE-2011-2483 glibc update for details.

File uploads could potentially overwrite files owned by the user
running php (CVE-2011-2202).

A long salt argument to the crypt function could cause a buffer
overflow (CVE-2011-3268)

Incorrect implementation of the error_log function could crash php
(CVE-2011-3267)

See also :

http://lists.opensuse.org/opensuse-updates/2011-10/msg00015.html
https://bugzilla.novell.com/show_bug.cgi?id=699711
https://bugzilla.novell.com/show_bug.cgi?id=701491
https://bugzilla.novell.com/show_bug.cgi?id=709549
https://bugzilla.novell.com/show_bug.cgi?id=715640
https://bugzilla.novell.com/show_bug.cgi?id=715646

Solution :

Update the affected apache2-mod_php5 packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: SuSE Local Security Checks

Nessus Plugin ID: 75791 ()

Bugtraq ID:

CVE ID: CVE-2011-2202
CVE-2011-2483
CVE-2011-3267
CVE-2011-3268

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now