UbuntuUpdates.org

Package "php-pear"

Name: php-pear

Description:

PEAR Base System

Latest version: 1:1.10.1+submodules+notgz-6ubuntu0.2
Release: xenial (16.04)
Level: security
Repository: main
Homepage: http://pear.php.net/package/PEAR

Links


Download "php-pear"


Other versions of "php-pear" in Xenial

Repository Area Version
base main 1:1.10.1+submodules+notgz-6
updates main 1:1.10.1+submodules+notgz-6ubuntu0.2

Changelog

Version: 1:1.10.1+submodules+notgz-6ubuntu0.2 2020-12-01 14:06:17 UTC

  php-pear (1:1.10.1+submodules+notgz-6ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: unserialization attack in Archive_Tar
    - debian/patches/CVE-2020-2894x.patch: catch additional malicious or
      crafted filenames in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2020-28948
    - CVE-2020-28949

 -- Marc Deslauriers <email address hidden> Mon, 30 Nov 2020 10:03:12 -0500

Source diff to previous version
CVE-2020-2894 Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 5.2.4
CVE-2020-28948 Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.
CVE-2020-28949 Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to o

Version: 1:1.10.1+submodules+notgz-6ubuntu0.1 2019-01-14 19:07:03 UTC

  php-pear (1:1.10.1+submodules+notgz-6ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: unserialization vulnerability in Archive_Tar
    - debian/patches/CVE-2018-1000888.patch: don't allow filenames to start
      with phar:// in submodules/Archive_Tar/Archive/Tar.php.
    - CVE-2018-1000888

 -- Marc Deslauriers <email address hidden> Fri, 11 Jan 2019 13:24:22 -0500

CVE-2018-1000888 PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with



About   -   Send Feedback to @ubuntu_updates