Summary
Ubuntu Update for Linux kernel vulnerabilities USN-1437-1
Solution
Please Install the Updated Packages.
Insight
It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server. Configurations using mod_php5 and FastCGI were not vulnerable.
This update addresses the issue when the PHP CGI interpreter is configured using mod_cgi and mod_actions as described in /usr/share/doc/php5-cgi/README.Debian.gz
however,
if an alternate configuration is used to enable PHP CGI processing, it should be reviewed to ensure that command line arguments cannot be passed to the PHP interpreter. Please see http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html for more details and potential mitigation approaches.
Affected
php5 on Ubuntu 12.04 LTS ,
Ubuntu 11.10 ,
Ubuntu 11.04 ,
Ubuntu 10.04 LTS ,
Ubuntu 8.04 LTS
Severity
Classification
-
CVE CVE-2012-1823, CVE-2012-2311 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities