it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
- From: Tim Starling <tstarling AT wikimedia.org>
- To: mediawiki-announce AT lists.wikimedia.org, mediawiki-l AT lists.wikimedia.org
- Subject: [IT-SecNots] [MediaWiki-announce] MediaWiki and PHP 5.3.5/5.2.17
- Date: Thu, 13 Jan 2011 15:01:57 +1100
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
- Openpgp: id=BF976370
If you're running MediaWiki on a 32-bit platform, you should upgrade
to PHP 5.3.5, PHP 5.2.17 or a patched version of PHP from a Linux
distribution which includes a fix for CVE-2010-4645. If you run
MediaWiki on a 32-bit platform with an earlier version of PHP, you
will be vulnerable to a denial-of-service vulnerability.
CVE-2010-4645 is a vulnerability which causes the conversion from a
string to a floating-point number to take forever, for certain special
strings. PHP's weak typing means that such conversion can take place
implicitly, for example in code like "$string > 0". I can confirm that
MediaWiki has modules which will convert user input to a
floating-point number. Conversion can be triggered by an attacker with
no special privileges.
PHP release announcement:
http://www.php.net/archive/2011.php#id2011-01-06-1
Updated Ubuntu packages:
http://www.ubuntu.com/usn/usn-1042-1
-- Tim Starling
_______________________________________________
MediaWiki announcements mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce
- [IT-SecNots] [MediaWiki-announce] MediaWiki and PHP 5.3.5/5.2.17, Tim Starling, 13.01.2011
Archiv bereitgestellt durch MHonArc 2.6.19.