+++ This bug was initially created as a clone of Bug #294258 +++ Description: Remote Arbitrary Command Injection Impact: When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections. Workaround: Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages. Resolution: The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2. SVN commit: http://svn.php.net/viewvc/pear/packages/Net_Traceroute/trunk/Traceroute.php?r1=232735&r2=290749
in CVS
Arches, please test and mark stable: =dev-php/PEAR-Net_Traceroute-0.21.2 Target keywords : "amd64 x86"
x86 stable
amd64 stable, all arches done.
Rerating, GLSA filed. PHP, please remove the vulnerable ebuild.
(In reply to comment #5) > Rerating, GLSA filed. > > PHP, please remove the vulnerable ebuild. > done
GLSA 200911-06
CVE-2009-4025 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4025): Argument injection vulnerability in the traceroute function in Traceroute.php in the Net_Traceroute package before 0.21.2 for PEAR allows remote attackers to execute arbitrary shell commands via the host parameter. NOTE: some of these details are obtained from third party information.