Updated postgresql84 packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

PostgreSQL is an advanced object-relational database management system (DBMS).

A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value. (CVE-2011-2483)

Note: Due to the CVE-2011-2483 fix, after installing this update some users may not be able to log in to applications that store user passwords, hashed with Blowfish using the PostgreSQL crypt() function, in a back-end PostgreSQL database. Unsafe processing can be re-enabled for specific passwords (allowing affected users to log in) by changing their hash prefix to '$2x$'.

These updated postgresql84 packages upgrade PostgreSQL to version 8.4.9. Refer to the PostgreSQL Release Notes for a full list of changes :

http://www.postgresql.org/docs/8.4/static/release.html

All PostgreSQL users are advised to upgrade to these updated packages, which correct this issue. If the postgresql service is running, it will be automatically restarted after installing this update.

Multiple vulnerabilities was discovered and fixed in glibc :

The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296 (CVE-2011-1089).

Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071 (CVE-2011-1659).

crypt_blowfish before 1.1, as used in glibc on certain platforms, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash (CVE-2011-2483).

The updated packages have been patched to correct these issues.

PostgreSQL was updated to the latest stable release 8.1.23, fixing various bugs and security issues.

The following security issues have been fixed :

  - CVE-2012-3488: This update fixes arbitrary read and     write of files via XSL functionality.

  - CVE-2012-2655: postgresql: denial of service (stack     exhaustion) via specially crafted SQL.

  - CVE-2011-2483: crypt_blowfish was mishandling 8 bit     characters.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

PHP before 5.3.7 does not properly check the return values of the malloc, calloc, and realloc library functions, which allows context-dependent attackers to cause a denial of service (NULL pointer dereference and application crash) or trigger a buffer overflow by leveraging the ability to provide an arbitrary value for a function argument, related to (1) ext/curl/interface.c, (2) ext/date/lib/parse_date.c, (3) ext/date/lib/parse_iso_intervals.c, (4) ext/date/lib/parse_tz.c, (5) ext/date/lib/timelib.c, (6) ext/pdo_odbc/pdo_odbc.c, (7) ext/reflection/php_reflection.c, (8) ext/soap/php_sdl.c, (9) ext/xmlrpc/libxmlrpc/base64.c, (10) TSRM/tsrm_win32.c, and (11) the strtotime function.

The is_a function in PHP 5.3.7 and 5.3.8 triggers a call to the
__autoload function, which makes it easier for remote attackers to execute arbitrary code by providing a crafted URL and leveraging potentially unsafe behavior in certain PEAR packages and custom autoloaders.

php: changes to is_a() in 5.3.7 may allow arbitrary code execution with certain code

A signedness issue was found in the way the PHP crypt() function handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value.

A signedness issue was found in the way the crypt() function in the PostgreSQL pgcrypto module handled 8-bit characters in passwords when using Blowfish hashing. Up to three characters immediately preceding a non-ASCII character (one with the high bit set) had no effect on the hash result, thus shortening the effective password length. This made brute-force guessing more efficient as several different passwords were hashed to the same value.

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.

A stack-based buffer overflow flaw was found in the way the PHP socket extension handled long AF_UNIX socket addresses. An attacker able to make a PHP script connect to a long AF_UNIX socket address could use this flaw to crash the PHP interpreter.

Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket.

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.'

An off-by-one flaw was found in PHP. If an attacker uploaded a file with a specially crafted file name it could cause a PHP script to attempt to write a file to the root (/) directory. By default, PHP runs as the 'apache' user, preventing it from writing to the root directory.

The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a 'file path injection vulnerability.'

Use-after-free vulnerability in the substr_replace function in PHP 5.3.6 and earlier allows context-dependent attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by using the same variable for multiple arguments.

A use-after-free flaw was found in the PHP substr_replace() function.
If a PHP script used the same variable as multiple function arguments, a remote attacker could possibly use this to crash the PHP interpreter or, possibly, execute arbitrary code.

According to its banner, the version of PHP 5.3.x running on the remote host is prior to 5.3.7. It is, therefore, affected by the following vulnerabilities :

  - A use-after-free vulnerability in substr_replace().
   (CVE-2011-1148)

  - A stack-based buffer overflow in socket_connect().
   (CVE-2011-1938)

  - A code execution vulnerability in ZipArchive::addGlob().
    (CVE-2011-1657)

  - crypt_blowfish was updated to 1.2. (CVE-2011-2483)

  - Multiple NULL pointer dereferences. (CVE-2011-3182)

  - An unspecified crash in error_log(). (CVE-2011-3267)

  - A buffer overflow in crypt(). (CVE-2011-3268)

  - A flaw exists in the php_win32_get_random_bytes()     function when passing MCRYPT_DEV_URANDOM as source to     mcrypt_create_iv(). A remote attacker can exploit this     to cause a denial of service condition.

Security Enhancements and Fixes :

  - Updated crypt_blowfish to 1.2. (CVE-2011-2483)

    - Fixed crash in error_log(). Reported by Mateusz       Kocielski

    - Fixed buffer overflow on overlog salt in crypt().

    - Fixed bug #54939 (File path injection vulnerability in       RFC1867 File upload filename). Reported by Krzysztof       Kotowicz. (CVE-2011-2202)

    - Fixed stack-based buffer overflow in socket_connect().
      (CVE-2011-1938)

    - Fixed bug #54238 (use-after-free in substr_replace()).
      (CVE-2011-1148)

Upstream announce for 5.3.8:
http://www.php.net/archive/2011.php#id2011-08-23-1 Upstream announce for 5.3.7: http://www.php.net/archive/2011.php#id2011-08-18-1

Full Changelog: http://www.php.net/ChangeLog-5.php#5.3.8

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201110-06 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A context-dependent attacker could execute arbitrary code, obtain       sensitive information from process memory, bypass intended access       restrictions, or cause a Denial of Service in various ways.
    A remote attacker could cause a Denial of Service in various ways,       bypass spam detections, or bypass open_basedir restrictions.
  Workaround :

    There is no known workaround at this time.

The remote Oracle Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-1423 advisory.

    - improve CVE-2011-1466 fix to cover CAL_GREGORIAN, CAL_JEWISH

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The blowfish password hashing implementation did not properly handle 8-characters in passwords, which made it easier for attackers to crack the hash (CVE-2011-2483). After this update existing hashes with id '$2a$' for passwords that contain 8-bit characters will no longer be compatible with newly generated hashes. Affected users will either have to change their password to store a new hash or the id of the existing hash has to be manually changed to '$2x$' in order to activate a compat mode. Please see the description of the CVE-2011-2483 glibc update for details.

File uploads could potentially overwrite files owned by the user running php (CVE-2011-2202).

A long salt argument to the crypt function could cause a buffer overflow (CVE-2011-3268)

The blowfish password hashing implementation did not properly handle 8-characters in passwords, which made it easier for attackers to crack the hash (CVE-2011-2483). After this update existing hashes with id '$2a$' for passwords that contain 8-bit characters will no longer be compatible with newly generated hashes. Affected users will either have to change their password to store a new hash or the id of the existing hash has to be manually changed to '$2x$' in order to activate a compat mode. Please see the description of the CVE-2011-2483 glibc update for details.

File uploads could potentially overwrite files owned by the user running php (CVE-2011-2202).

A long salt argument to the crypt function could cause a buffer overflow (CVE-2011-3268)

Incorrect implementation of the error_log function could crash php (CVE-2011-3267)

Versions of PHP 5.3 earlier than 5.3.7 are potentially affected by multiple vulnerabilities : 

  - A stack buffer overflow exists in socket_connect(). (CVE-2011-1938)

  - A use-after-free vulnerability exists in substr_replace(). (CVE-2011-1148)

  - A code execution vulnerability exists in ZipArchive: : addGlob(). (CVE-2011-1657)

  - crypt_blowfish was updated to 1.2. (CVE-2011-2483)

  - Multiple null pointer dereferences exist.

  - An unspecified crash exists in error_log().

  - A buffer overflow vulnerability exists in crypt().
 - A flaw exists in the php_win32_get_random_bytes() function when passing MCRYPT_DEV_URANDOM as source to mcrypt_create_iv(). A remote attacker can exploit this to cause a denial of service condition.

The remote host is running a version of Mac OS X 10.7 that is older than version 10.7.3.  The newer version contains numerous security-related fixes for the following components :

  - Address Book
  - Apache
  - ATS
  - CFNetwork
 - CoreMedia
 - CoreText
 - CoreUI
 - curl
 - Data Security
 - dovecot
 - filecmds
 - ImageIO
 - Internet Sharing
 - Libinfo
 - libresolv
 - libsecurity
 - OpenGL
 - PHP
 - QuickTime
 - Subversion
 - Time Machine
 - WebDAV Sharing
 - Webmail
 - X11

ID	Name	Product	Family	Published	Updated	Severity
56536	CentOS 5 : postgresql84 (CESA-2011:1378)	Nessus	CentOS Local Security Checks	10/19/2011	1/4/2021	medium
61938	Mandriva Linux Security Advisory : glibc (MDVSA-2011:179)	Nessus	Mandriva Local Security Checks	9/6/2012	1/6/2021	medium
83561	SUSE SLED10 / SLES10 Security Update : PostgreSQL (SUSE-SU-2012:1336-1)	Nessus	SuSE Local Security Checks	5/20/2015	1/19/2021	medium
78268	Amazon Linux AMI : php (ALAS-2011-7)	Nessus	Amazon Linux Local Security Checks	10/12/2014	7/10/2019	high
55925	PHP 5.3 < 5.3.7 Multiple Vulnerabilities	Nessus	CGI abuses	8/22/2011	5/26/2025	critical
56218	Fedora 15 : maniadrive-1.2-32.fc15 / php-5.3.8-1.fc15 / php-eaccelerator-0.9.6.1-9.fc15 (2011-11528)	Nessus	Fedora Local Security Checks	9/19/2011	1/11/2021	high
56219	Fedora 14 : maniadrive-1.2-32.fc14 / php-5.3.8-1.fc14 / php-eaccelerator-0.9.6.1-9.fc14 (2011-11537)	Nessus	Fedora Local Security Checks	9/19/2011	1/11/2021	high
56459	GLSA-201110-06 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	10/12/2011	1/6/2021	critical
68382	Oracle Linux 5 / 6 : php53 / and / php (ELSA-2011-1423)	Nessus	Oracle Linux Local Security Checks	7/12/2013	10/22/2024	critical
75433	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2011:1137-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/14/2021	critical
75791	openSUSE Security Update : apache2-mod_php5 (openSUSE-SU-2011:1138-1)	Nessus	SuSE Local Security Checks	6/13/2014	1/14/2021	critical
6015	PHP 5.3.x < 5.3.7 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	8/23/2011	3/6/2019	high
6303	Mac OS X 10.7 < 10.7.3 Multiple Vulnerabilities	Nessus Network Monitor	Generic	2/6/2012	3/6/2019	critical

Detections

Analytics

Plugins Search

medium

medium

medium

high

critical

high

high

critical

critical

critical

critical

high

critical