Vulnerabilities > CVE-2019-11045 - Injection vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Php
| 101 |
| Application | 7 | |
| OS | 2 | |
| OS | 3 | |
| OS | 1 | |
| OS | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0522-1.NASL description This update for php5 fixes the following issues : Security issues fixed : CVE-2019-11041: Fixed heap buffer over-read in exif_scan_thumbnail() (bsc#1146360). CVE-2019-11042: Fixed heap buffer over-read in exif_process_user_comment() (bsc#1145095). CVE-2019-11043: Fixed possible remote code execution via env_path_info underflow in fpm_main.c (bsc#1154999). CVE-2019-11045: Fixed an issue with the PHP DirectoryIterator class that accepts filenames with embedded \0 bytes (bsc#1159923). CVE-2019-11046: Fixed an out-of-bounds read in bc_shift_addsub (bsc#1159924). CVE-2019-11047: Fixed an information disclosure in exif_read_data (bsc#1159922). CVE-2019-11050: Fixed a buffer over-read in the EXIF extension (bsc#1159927). CVE-2020-7059: Fixed an out-of-bounds read in php_strip_tags_ex (bsc#1162629). CVE-2020-7060: Fixed a global buffer-overflow in mbfl_filt_conv_big5_wchar (bsc#1162632). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-18 modified 2020-03-02 plugin id 134199 published 2020-03-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134199 title SUSE SLES12 Security Update : php5 (SUSE-SU-2020:0522-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2020:0522-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(134199); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/09"); script_cve_id("CVE-2019-11041", "CVE-2019-11042", "CVE-2019-11043", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11050", "CVE-2020-7059", "CVE-2020-7060"); script_name(english:"SUSE SLES12 Security Update : php5 (SUSE-SU-2020:0522-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for php5 fixes the following issues : Security issues fixed : CVE-2019-11041: Fixed heap buffer over-read in exif_scan_thumbnail() (bsc#1146360). CVE-2019-11042: Fixed heap buffer over-read in exif_process_user_comment() (bsc#1145095). CVE-2019-11043: Fixed possible remote code execution via env_path_info underflow in fpm_main.c (bsc#1154999). CVE-2019-11045: Fixed an issue with the PHP DirectoryIterator class that accepts filenames with embedded \0 bytes (bsc#1159923). CVE-2019-11046: Fixed an out-of-bounds read in bc_shift_addsub (bsc#1159924). CVE-2019-11047: Fixed an information disclosure in exif_read_data (bsc#1159922). CVE-2019-11050: Fixed a buffer over-read in the EXIF extension (bsc#1159927). CVE-2020-7059: Fixed an out-of-bounds read in php_strip_tags_ex (bsc#1162629). CVE-2020-7060: Fixed a global buffer-overflow in mbfl_filt_conv_big5_wchar (bsc#1162632). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1145095" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1146360" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1154999" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159923" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159924" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159927" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1161982" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1162629" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1162632" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11041/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11042/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11043/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11045/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11046/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11047/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11050/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-7059/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-7060/" ); # https://www.suse.com/support/update/announcement/2020/suse-su-20200522-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7e9a53cf" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-522=1 SUSE Linux Enterprise Module for Web Scripting 12:zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-522=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP-FPM Underflow RCE'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bcmath-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-bz2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-calendar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ctype-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-dom-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-enchant-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-exif-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fastcgi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fileinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-fpm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ftp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gettext-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-gmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-iconv-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-imap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-intl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-json-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-ldap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mbstring-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mcrypt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-mysql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-odbc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-opcache-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-openssl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pcntl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pdo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pgsql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-phar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-phar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-posix-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-pspell-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-shmop-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-snmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-soap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sockets-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sqlite-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-suhosin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-suhosin-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvmsg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvsem-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-sysvshm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-tokenizer-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-wddx-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlreader-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlrpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xmlwriter-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-xsl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zip-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php5-zlib-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/02"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php5-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php5-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bcmath-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bcmath-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bz2-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-bz2-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-calendar-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-calendar-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ctype-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ctype-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-curl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-curl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dba-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dba-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-debugsource-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dom-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-dom-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-enchant-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-enchant-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-exif-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-exif-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fastcgi-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fastcgi-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fileinfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fileinfo-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fpm-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-fpm-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ftp-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ftp-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gd-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gd-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gettext-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gettext-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gmp-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-gmp-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-iconv-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-iconv-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-imap-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-imap-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-intl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-intl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-json-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-json-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ldap-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-ldap-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mbstring-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mbstring-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mcrypt-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mcrypt-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mysql-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-mysql-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-odbc-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-odbc-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-opcache-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-opcache-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-openssl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-openssl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pcntl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pcntl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pdo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pdo-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pgsql-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pgsql-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-phar-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-phar-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-posix-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-posix-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pspell-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-pspell-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-shmop-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-shmop-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-snmp-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-snmp-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-soap-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-soap-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sockets-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sockets-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sqlite-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sqlite-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-suhosin-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-suhosin-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvmsg-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvmsg-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvsem-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvsem-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvshm-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-sysvshm-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-tokenizer-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-tokenizer-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-wddx-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-wddx-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlreader-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlreader-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlrpc-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlrpc-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlwriter-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xmlwriter-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xsl-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-xsl-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zip-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zip-debuginfo-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zlib-5.5.14-109.68.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php5-zlib-debuginfo-5.5.14-109.68.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php5"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0352-1.NASL description This update for php7 fixes the following issues : CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133546 published 2020-02-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133546 title SUSE SLES12 Security Update : php7 (SUSE-SU-2020:0352-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2020:0352-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(133546); script_version("1.2"); script_cvs_date("Date: 2020/02/12"); script_cve_id("CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11050"); script_name(english:"SUSE SLES12 Security Update : php7 (SUSE-SU-2020:0352-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for php7 fixes the following issues : CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159922" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159923" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159924" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1159927" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11045/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11046/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11047/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-11050/" ); # https://www.suse.com/support/update/announcement/2020/suse-su-20200352-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6d38c59e" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 12-SP5 : zypper in -t patch SUSE-SLE-SDK-12-SP5-2020-352=1 SUSE Linux Enterprise Software Development Kit 12-SP4 : zypper in -t patch SUSE-SLE-SDK-12-SP4-2020-352=1 SUSE Linux Enterprise Module for Web Scripting 12 : zypper in -t patch SUSE-SLE-Module-Web-Scripting-12-2020-352=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-11050"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:apache2-mod_php7-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-bcmath-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-bz2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-bz2-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-calendar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-calendar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ctype"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ctype-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-dba-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-dom"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-dom-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-enchant-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-exif"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-exif-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fastcgi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fastcgi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fileinfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fileinfo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-fpm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ftp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ftp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gettext"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gettext-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-gmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-iconv"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-iconv-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-imap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-intl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-json-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-ldap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mbstring-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mcrypt-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-mysql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-odbc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-opcache-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-openssl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pcntl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pcntl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pdo-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pgsql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-phar"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-phar-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-posix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-posix-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-pspell-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-shmop"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-shmop-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-snmp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-soap-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sockets"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sockets-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sqlite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sqlite-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvmsg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvmsg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvsem"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvsem-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvshm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-sysvshm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-tokenizer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-tokenizer-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-wddx"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-wddx-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlreader"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlreader-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlrpc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlwriter"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xmlwriter-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xsl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-xsl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-zip"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-zip-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-zlib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:php7-zlib-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php7-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"apache2-mod_php7-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-bcmath-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-bcmath-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-bz2-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-bz2-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-calendar-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-calendar-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ctype-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ctype-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-curl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-curl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-dba-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-dba-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-debugsource-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-dom-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-dom-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-enchant-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-enchant-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-exif-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-exif-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fastcgi-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fastcgi-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fileinfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fileinfo-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fpm-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-fpm-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ftp-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ftp-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gd-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gd-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gettext-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gettext-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gmp-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-gmp-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-iconv-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-iconv-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-imap-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-imap-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-intl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-intl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-json-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-json-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ldap-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-ldap-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mbstring-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mbstring-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mcrypt-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mcrypt-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mysql-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-mysql-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-odbc-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-odbc-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-opcache-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-opcache-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-openssl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-openssl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pcntl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pcntl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pdo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pdo-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pgsql-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pgsql-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-phar-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-phar-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-posix-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-posix-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pspell-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-pspell-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-shmop-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-shmop-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-snmp-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-snmp-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-soap-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-soap-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sockets-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sockets-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sqlite-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sqlite-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvmsg-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvmsg-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvsem-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvsem-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvshm-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-sysvshm-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-tokenizer-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-tokenizer-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-wddx-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-wddx-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlreader-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlreader-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlrpc-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlrpc-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlwriter-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xmlwriter-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xsl-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-xsl-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-zip-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-zip-debuginfo-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-zlib-7.0.7-50.91.1")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"php7-zlib-debuginfo-7.0.7-50.91.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php7"); }NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1339.NASL description In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045) In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047) A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050) In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren last seen 2020-06-01 modified 2020-06-02 plugin id 133558 published 2020-02-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133558 title Amazon Linux AMI : php72 / php73 (ALAS-2020-1339) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2020-1339. # include("compat.inc"); if (description) { script_id(133558); script_version("1.2"); script_cvs_date("Date: 2020/02/12"); script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050"); script_xref(name:"ALAS", value:"2020-1339"); script_name(english:"Amazon Linux AMI : php72 / php73 (ALAS-2020-1339)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045) In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047) A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044) When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050) In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations. (CVE-2019-11046)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2020-1339.html" ); script_set_attribute( attribute:"solution", value: "Run 'yum update php72' to update your system. Run 'yum update php73' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pdo-dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php72-xmlrpc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-bcmath"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-cli"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dba"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-embedded"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-enchant"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-fpm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-gmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-imap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-intl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-json"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mbstring"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-mysqlnd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-odbc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-opcache"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pdo-dblib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-process"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-pspell"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-recode"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-snmp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-soap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-tidy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xml"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php73-xmlrpc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/10"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"php72-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-bcmath-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-cli-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-common-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-dba-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-dbg-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-debuginfo-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-devel-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-embedded-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-enchant-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-fpm-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-gd-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-gmp-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-imap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-intl-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-json-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-ldap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-mbstring-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-mysqlnd-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-odbc-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-opcache-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pdo-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pdo-dblib-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pgsql-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-process-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-pspell-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-recode-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-snmp-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-soap-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-tidy-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-xml-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php72-xmlrpc-7.2.26-1.19.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-bcmath-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-cli-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-common-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-dba-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-dbg-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-debuginfo-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-devel-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-embedded-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-enchant-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-fpm-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-gd-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-gmp-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-imap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-intl-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-json-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-ldap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-mbstring-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-mysqlnd-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-odbc-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-opcache-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pdo-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pdo-dblib-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pgsql-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-process-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-pspell-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-recode-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-snmp-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-soap-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-tidy-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-xml-7.3.13-1.22.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"php73-xmlrpc-7.3.13-1.22.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php72 / php72-bcmath / php72-cli / php72-common / php72-dba / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2019-437D94E271.NASL description **PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export last seen 2020-06-01 modified 2020-06-02 plugin id 132644 published 2020-01-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132644 title Fedora 30 : php (2019-437d94e271) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-437d94e271. # include("compat.inc"); if (description) { script_id(132644); script_version("1.4"); script_cvs_date("Date: 2020/01/31"); script_cve_id("CVE-2019-11044", "CVE-2019-11045", "CVE-2019-11046", "CVE-2019-11047", "CVE-2019-11049", "CVE-2019-11050"); script_xref(name:"FEDORA", value:"2019-437d94e271"); script_name(english:"Fedora 30 : php (2019-437d94e271)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "**PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export'ing certain class instances segfaults). (cmb) - Fixed bug php#78840 (imploding $GLOBALS crashes). (cmb) - Fixed bug php#78833 (Integer overflow in pack causes out-of-bound access). (cmb) - Fixed bug php#78814 (strip_tags allows / in tag name => whitelist bypass). (cmb) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-437d94e271" ); script_set_attribute(attribute:"solution", value:"Update the affected php package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC30", reference:"php-7.3.13-1.fc30")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1124.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata.(CVE-2016-7412) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - In PHP before 5.6.28 and 7.x before 7.0.13, incorrect handling of various URI components in the URL parser could be used by attackers to bypass hostname-specific URL checks, as demonstrated by evil.example.com:80#@good.example.com/ and evil.example.com:[email protected]/ inputs to the parse_url function (implemented in the php_url_parse_ex function in ext/standard/url.c).(CVE-2016-10397) - In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an error in the date extension last seen 2020-05-06 modified 2020-02-24 plugin id 133925 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133925 title EulerOS 2.0 SP5 : php (EulerOS-SA-2020-1124) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4628.NASL description Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names. last seen 2020-03-17 modified 2020-02-20 plugin id 133815 published 2020-02-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133815 title Debian DSA-4628-1 : php7.0 - security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0267-1.NASL description This update for php72 fixes the following issues : CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133396 published 2020-01-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133396 title SUSE SLES12 Security Update : php72 (SUSE-SU-2020:0267-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4626.NASL description Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names. last seen 2020-03-17 modified 2020-02-18 plugin id 133733 published 2020-02-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133733 title Debian DSA-4626-1 : php7.3 - security update NASL family CGI abuses NASL id PHP_7_2_26.NASL description According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.26. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047) last seen 2020-06-01 modified 2020-06-02 plugin id 132770 published 2020-01-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132770 title PHP 7.2.x < 7.2.26 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2019-A54A622670.NASL description **PHP version 7.3.13** (18 Dec 2019) **Bcmath:** - Fixed bug php#78878 (Buffer underflow in bc_shift_addsub). (**CVE-2019-11046**). (cmb) **Core:** - Fixed bug php#78862 (link() silently truncates after a null byte on Windows). (**CVE-2019-11044**). (cmb) - Fixed bug php#78863 (DirectoryIterator class silently truncates after a null byte). (**CVE-2019-11045**). (cmb) - Fixed bug php#78943 (mail() may release string with refcount==1 twice). (**CVE-2019-11049**). (cmb) - Fixed bug php#78787 (Segfault with trait overriding inherited private shadow property). (Nikita) - Fixed bug php#78868 (Calling __autoload() with incorrect EG(fake_scope) value). (Antony Dovgal, Dmitry) - Fixed bug php#78296 (is_file fails to detect file). (cmb) **EXIF:** - Fixed bug php#78793 (Use-after-free in exif parsing under memory sanitizer). (**CVE-2019-11050**). (Nikita) - Fixed bug php#78910 (Heap-buffer-overflow READ in exif). (**CVE-2019-11047**). (Nikita) **GD:** - Fixed bug php#78849 (GD build broken with -D SIGNED_COMPARE_SLOW). (cmb) **MBString:** - Upgraded bundled Oniguruma to 6.9.4. (cmb) **OPcache:** - Fixed potential ASLR related invalid opline handler issues. (cmb) - Fixed $x = (bool)$x; with opcache (should emit undeclared variable notice). (Tyson Andre) **PCRE:** - Fixed bug php#78853 (preg_match() may return integer > 1). (cmb) **Standard:** - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita) - Fixed bug php#77638 (var_export last seen 2020-06-01 modified 2020-06-02 plugin id 132655 published 2020-01-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132655 title Fedora 31 : php (2019-a54a622670) NASL family CGI abuses NASL id PHP_7_4_1.NASL description According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.13 or 7.4.x prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities: - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 CVE-2019-11045) - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046) - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047 CVE-2019-11050) - A denial of service (DoS) vulnerability exists in mail() due to the double-freeing of certain memory locations. An unauthenticated, remote attacker can exploit this issue, by supplying custom headers, and to cause the application to segfault and stop responding. last seen 2020-06-01 modified 2020-06-02 plugin id 132769 published 2020-01-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132769 title PHP 7.3.x < 7.3.13 / 7.4.x < 7.4.1 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2050.NASL description Several security bugs have been identified and fixed in php5, a server-side, HTML-embedded scripting language. The affected components include the exif module and handling of filenames with \0 embedded. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 132422 published 2019-12-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132422 title Debian DLA-2050-1 : php5 security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-80.NASL description This update for php7 fixes the following issues : - CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). - CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). - CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 133133 published 2020-01-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133133 title openSUSE Security Update : php7 (openSUSE-2020-80) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4239-1.NASL description It was discovered that PHP incorrectly handled certain files. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, 19.04 and 19.10. (CVE-2019-11045) It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2019-11046) It was discovered that PHP incorrectly handled certain images. An attacker could possibly use this issue to access sensitive information. (CVE-2019-11047, CVE-2019-11050). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132953 published 2020-01-16 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132953 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : php5, php7.0, php7.2, php7.3 vulnerabilities (USN-4239-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0101-1.NASL description This update for php7 fixes the following issues : CVE-2019-11045: Fixed an issue with improper input validation in the filename handling of the DirectoryIterator class (bsc#1159923). CVE-2019-11046: Fixed an information leak in bc_shift_addsub() (bsc#1159924). CVE-2019-11047, CVE-2019-11050: Fixed multiple information leaks in exif_read_data() (bsc#1159922, bsc#1159927). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132927 published 2020-01-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132927 title SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2020:0101-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1350.NASL description According to the versions of the php packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.(CVE-2019-11050) - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren last seen 2020-04-07 modified 2020-04-02 plugin id 135137 published 2020-04-02 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135137 title EulerOS Virtualization for ARM 64 3.0.6.0 : php (EulerOS-SA-2020-1350) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1172.NASL description According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This leads to a heap-based buffer over-read.(CVE-2019-19204) - Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.(CVE-2019-16163) - Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in str_lower_case_match in regexec.c.(CVE-2019-19246) - PHP through 7.1.11 enables potential SSRF in applications that accept an fsockopen or pfsockopen hostname argument with an expectation that the port number is constrained. Because a :port syntax is recognized, fsockopen will use the port number that is specified in the hostname argument, instead of the port number in the second argument of the function.(CVE-2017-7272) - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.(CVE-2019-11045) - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren last seen 2020-05-03 modified 2020-02-25 plugin id 134006 published 2020-02-25 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134006 title EulerOS 2.0 SP8 : php (EulerOS-SA-2020-1172)
References
- https://bugs.php.net/bug.php?id=78863
- https://lists.debian.org/debian-lts-announce/2019/12/msg00034.html
- https://security.netapp.com/advisory/ntap-20200103-0002/
- https://usn.ubuntu.com/4239-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00036.html
- https://seclists.org/bugtraq/2020/Feb/27
- https://www.debian.org/security/2020/dsa-4626
- https://seclists.org/bugtraq/2020/Feb/31
- https://www.debian.org/security/2020/dsa-4628
- https://seclists.org/bugtraq/2021/Jan/3
- https://www.tenable.com/security/tns-2021-14
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N7GCOAE6KVHYJ3UQ4KLPLTGSLX6IRVRN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWRQPYXVG43Q7DXMXH6UVWMKWGUW552F/