Debian and PHP PEAR Projects Update for Application Vulnerabilities

[InfoSec News <alerts () infosecnews org>]

https://www.eweek.com/security/debian-and-php-pear-projects-update-for-application-vulnerabilities

By Sean Michael Kerner
eWeek.com
January 25, 2019

Time and again, security experts and vendors alike will recommend to 
organizations and end users to keep software and systems updated with the 
latest patches.

But what happens when the application infrastructure that is supposed to 
deliver those patches itself is at risk? That's what open-source and Linux 
users were faced with this past week with a pair of projects reporting 
vulnerabilities.

On Jan. 22, the Debian Linux distribution reported a vulnerability in its APT 
package manager that is used by end users and organizations to get application 
updates. That disclosure was followed a day later, on Jan. 23, with the PHP 
PEAR (PHP Extension and Application Repository) shutting down its primary 
website, warning that it was the victim of a data breach. PHP PEAR is a package 
manager that is included with many Linux distributions as part of the 
open-source PHP programming language binaries.

Debian is a popular Linux distribution and also serves as the base for multiple 
other Linux distributions, including Ubuntu. The Debian APT vulnerability, 
identified as CVE-2019-3462, was first reported by researcher Max Justicz, who 
described the vulnerability as a remote code execution risk.

[...]



--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_