| CARVIEW |
| pearweb_manual 1.1.3 (today) |
| pearweb 1.24.1 (today) |
| Net_URL2 0.3.1 (Mon, 22nd Feb 10) |
| Crypt_HMAC2 1.0.0 (Mon, 22nd Feb 10) |
| HTTP_OAuth 0.1.9 (Fri, 19th Feb 10) |
 |
| DB_DataObject 1.9.3 (131.20) |
| Mail 1.2.0b5 (115.33) |
| Net_URL2 0.3.1 (89.00) |
| HTTP_OAuth 0.1.8 (54.75) |
| HTTP_OAuth 0.1.7 (29.89) |
| * downloads per day |
|
| HTML::HTML_Template by jan267 |
| VersionControl::VersionCo
ntrol_Git by ebihara |
| Images::Image_QRCode by richsage |
| Web
Services::Services_Digg2 by shupp |
| Web
Services::Services_Memoto
o by memotoo |
| See all |
| Kousuke Ebihara ebihara |
| Stelian Mocanita stelianm |
| Antonios Pavlakis pavlakis |
| See all |
PEAR - PHP Extension and Application Repository
» What is it?
PEAR is a framework and distribution system for reusable PHP components.
Sounds good? Perhaps you might want to know about installing PEAR on your system or installing pear packages.
You can find help using PEAR packages in the online manual and the FAQ.
If you have been told by other PEAR developers to sign up for a PEAR website account, you can use this interface.
» Hot off the Press
Net_Traceroute and Net_Ping security advisory
PEAR Security Advisory (PSA 200911-14-01)
Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01
Synopsis
Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.
Background
Net_Ping is an OS independent wrapper class for executing ping calls from PHP
Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP
Affected packages
———————————————————————————————
Package / Vulnerable / Unaffected
———————————————————————————————
1 Net_Ping < 2.4.5 >= 2.4.5
2 Net_Traceroute < 0.21.2 >= 0.21.2
———————————————————————————————
2 affected packages on all of their supported architectures.
———————————————————————————————
Description
Remote Arbitrary Command Injection
Impact
When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.
Workaround
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.
Resolution
The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:
- https://download.pear.php.net/package/Net_Ping-2.4.5.tgz
- pear upgrade Net_Ping-2.4.5
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:
- https://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
- pear upgrade Net_Traceroute-0.21.2
Reported By
Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.
Link
Ubuntu Karmic Ships with PEAR-Affecting Issues
Be aware that the initial release of Ubuntu Karmic contains a bug that affects PHP and PEAR, whose fix came a tad too late to make the initial release. The bug is fixed, and will be included in upcoming updates from Ubuntu.
From PEAR’s perspective, the key issue relates to the zlib library. This is evident in any attempt to install or upgrade a package, since doing so involves downloading a tarball file that must be uncompressed. The bug causes some zlib functions to be unavailable to PHP, and the Archive_Tar code will silently fail due to this.
If you attempt to install or upgrade a package, it may appear to finish without error, but without a final “install ok” or “upgrade ok” message. This means the process failed. The workaround is to include the -Z argument, so that a .tar file will be downloaded rather than a .tgz file:
pear install -Z phpdocumentor
Outage over
The core router issues at the hosting provider have been resolved. Sorry for the inconvenience. pear.php.net and the PEAR channel are now back in business.
PEAR Community
Need help?
You can find help and support on our mailing lists, and IRC channel
Our developers are also on LinkedIn, Ohloh, Twitter, Identi.ca or Facebook, as well as the wiki.