UbuntuUpdates.org

Package "php-pear"

Name: php-pear

Description:

PEAR Base System

Latest version: 1:1.10.1+submodules+notgz-6ubuntu0.3
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://pear.php.net/package/PEAR

Links


Download "php-pear"


Other versions of "php-pear" in Xenial

Repository Area Version
base main 1:1.10.1+submodules+notgz-6
updates main 1:1.10.1+submodules+notgz-6ubuntu0.3

Changelog

Version: 1:1.10.1+submodules+notgz-6ubuntu0.3 2021-02-08 14:06:28 UTC

  php-pear (1:1.10.1+submodules+notgz-6ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: directory traversal attack in Archive_Tar
    - debian/patches/CVE-2020-36193-1.patch: disallow symlinks to
      out-of-path filenames in submodules/Archive_Tar/Archive/Tar.php.
    - debian/patches/CVE-2020-36193-2.patch: fix out-of-path check for
      virtual relative symlink in submodules/Archive_Tar/Archive/Tar.php.
    - debian/patches/CVE-2020-36193-3.patch: PHP compat fix in
      submodules/Archive_Tar/Archive/Tar.php..
    - CVE-2020-36193

 -- Marc Deslauriers <email address hidden> Thu, 04 Feb 2021 10:38:49 -0500

Source diff to previous version
CVE-2020-36193 Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue

Version: 1:1.10.1+submodules+notgz-6ubuntu0.2 2020-12-01 14:06:17 UTC

  php-pear (1:1.10.1+submodules+notgz-6ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: unserialization attack in Archive_Tar
    - debian/patches/CVE-2020-2894x.patch: catch additional malicious or
      crafted filenames in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2020-28948
    - CVE-2020-28949

 -- Marc Deslauriers <email address hidden> Mon, 30 Nov 2020 10:03:12 -0500

Source diff to previous version
CVE-2020-2894 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.4
CVE-2020-28948 Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
CVE-2020-28949 Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to o

Version: 1:1.10.1+submodules+notgz-6ubuntu0.1 2019-01-14 19:07:03 UTC

  php-pear (1:1.10.1+submodules+notgz-6ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: unserialization vulnerability in Archive_Tar
    - debian/patches/CVE-2018-1000888.patch: don't allow filenames to start
      with phar:// in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2018-1000888

 -- Marc Deslauriers <email address hidden> Fri, 11 Jan 2019 13:24:22 -0500

CVE-2018-1000888 PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with



About   -   Send Feedback to @ubuntu_updates