Mandriva Update For Php-pear MDVSA-2011:187 (php-pear) Network Vulnerability

Solution

Please Install the Updated Packages.

Insight

A vulnerability has been discovered and corrected in php-pear: The installer in PEAR before 1.9.2 allows local users to overwrite arbitrary files via a symlink attack on the package.xml file, related to the (1) download_dir, (2) cache_dir, (3) tmp_dir, and (4) pear-build-download directories, a different vulnerability than CVE-2007-2519 (CVE-2011-1072). This advisory provides PEAR 1.9.4 which is not vulnerable to this issue. Additionally for Mandriva Enterprise Server 5 many new or updated PEAR packages is being provided with the latest versions of respective packages as well as mitigating various dependency issues.

Affected

php-pear on Mandriva Linux 2010.1, Mandriva Linux 2010.1/X86_64, Mandriva Enterprise Server 5, Mandriva Enterprise Server 5/X86_64

Severity

Classification

CVE CVE-2007-2519, CVE-2011-1072

CVSS	Base Score: 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P

Related Vulnerabilities

Mandrake Security Advisory MDVSA-2009:155 (git)
Mandrake Security Advisory MDVSA-2009:058 (wireshark)
Mandrake Security Advisory MDVSA-2009:193 (ruby)
Mandrake Security Advisory MDVSA-2009:138 (tomcat5)
Mandrake Security Advisory MDVSA-2009:133 (irssi)

Mandriva Update for php-pear MDVSA-2011:187 (php-pear)

Take action and discover your vulnerabilities