Mandriva Linux Security Advisory : php (MDVSA-2009:248)
High Nessus Plugin ID 48154
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionMultiple vulnerabilities was discovered and corrected in php :
The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291).
Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292)
Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293). However in Mandriva we don't use the bundled libgd source in php per default, there is a unsupported package in contrib named php-gd-bundled that eventually will get updated to pickup these fixes.
This update provides a solution to these vulnerabilities.
SolutionUpdate the affected packages.