It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server. Updated packages are available from security.ubuntu.com.
========================================================================== Ubuntu Security Notice USN-1437-1 May 04, 2012 php5 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS - Ubuntu 8.04 LTS Summary: Standalone PHP CGI scripts could be made to execute arbitrary code with the privilege of the web server. Software Description: - php5: HTML-embedded scripting language interpreter Details: It was discovered that PHP, when used as a stand alone CGI processor for the Apache Web Server, did not properly parse and filter query strings. This could allow a remote attacker to execute arbitrary code running with the privilege of the web server. Configurations using mod_php5 and FastCGI were not vulnerable. This update addresses the issue when the PHP CGI interpreter is configured using mod_cgi and mod_actions as described in /usr/share/doc/php5-cgi/README.Debian.gz; however, if an alternate configuration is used to enable PHP CGI processing, it should be reviewed to ensure that command line arguments cannot be passed to the PHP interpreter. Please see http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html for more details and potential mitigation approaches. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: php5-cgi 5.3.10-1ubuntu3.1 Ubuntu 11.10: php5-cgi 5.3.6-13ubuntu3.7 Ubuntu 11.04: php5-cgi 5.3.5-1ubuntu7.8 Ubuntu 10.04 LTS: php5-cgi 5.3.2-1ubuntu4.15 Ubuntu 8.04 LTS: php5-cgi 5.2.4-2ubuntu5.24 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1437-1 CVE-2012-1823, CVE-2012-2311 Package Information: https://launchpad.net/ubuntu/+source/php5/5.3.10-1ubuntu3.1 https://launchpad.net/ubuntu/+source/php5/5.3.6-13ubuntu3.7 https://launchpad.net/ubuntu/+source/php5/5.3.5-1ubuntu7.8 https://launchpad.net/ubuntu/+source/php5/5.3.2-1ubuntu4.15 https://launchpad.net/ubuntu/+source/php5/5.2.4-2ubuntu5.24