PEAR Blog » President Blog

Net_Traceroute and Net_Ping security advisory

david — Sat, 14 Nov 2009 23:39:49 +0000

PEAR Security Advisory (PSA 200911-14-01)

Severity: Serious
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
ID: 200911-14-01

Synopsis

Multiple remote arbitrary command injections have been found in the Net_Ping
and Net_Traceroute.

Background

Net_Ping is an OS independent wrapper class for executing ping calls from PHP

Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP

Affected packages

———————————————————————————————
Package                   / Vulnerable /             Unaffected
———————————————————————————————
1 Net_Ping                   < 2.4.5                   >= 2.4.5
2 Net_Traceroute       < 0.21.2                  >= 0.21.2

———————————————————————————————
2 affected packages on all of their supported architectures.
———————————————————————————————

Description

Remote Arbitrary Command Injection

Impact

When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.

Workaround

Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.

Resolution

The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:

http://download.pear.php.net/package/Net_Ping-2.4.5.tgz
pear upgrade Net_Ping-2.4.5

The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:

http://download.pear.php.net/package/Net_Traceroute-0.21.2.tgz
pear upgrade Net_Traceroute-0.21.2

Reported By

Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.

Link

http://pear.php.net/advisory20091114-01.txt

The new Group has been elected!

david — Mon, 10 Aug 2009 18:42:00 +0000

I am more than glad to announce the arrival, the announcement of the new PEAR Group for 2009 and 2010.

With a few fresh faces in the Group, this year looks very promising with the mix of both new blood and experienced PEAR Group members.

Congratulations to the elected 7s (In no particular order):

Christian Weiske
Chuck Burgress
Daniel O’Connor
Ken Guest
Bill Shupp
Michael Gauthier
Brett Bieber

I can’t wait to have our first meeting and get the year kicking!

Thanks to everyone who voted!

The elections are still going!

david — Sat, 01 Aug 2009 12:42:37 +0000

As every year, the elections for the PEAR Group and PEAR President are happening. This year due to a few factors and messages lost in translation, we decided to extend the elections period by 10 days so more people would have time to vote!

So remember to cast your vote at http://pear.php.net/election/ and you have until the the 5th of August 2009.

There are many new candidates for the Group and I think you should go and check them out!

Election 2008 Results

jeichorn — Sun, 22 Jun 2008 17:24:15 +0000

2008 Elections are now over, you can view the offical results on the PEAR website.

The new PEAR group is:

elections are now over and a new PEAR Group has been formed. Just like last year and always following the Constitution, the new members have been elected by a secret ballot of PEAR Developers. They have chosen:

Joshua Eichorn
Helgi Þormar Þorbjornsson
Joe Stump
Christian Weiske
Chuck Burgess
Travis Swicegood
Brett Bieber

The new PEAR President is: David Coallier

The kickoff meeting for the new group is being held today.

Meet Pyrus: PEAR’s new installer

Greg — Sun, 03 Jun 2007 21:08:24 +0000

A few minutes ago, the PEAR Group finished its third meeting, which was the first attended by newly elected PEAR Group member Paul Jones (welcome Paul!). In addition to other things discussed, the one that really interests me, and I suspect all of you, is the future direction of the repository and the PEAR Installer.

I’m happy to announce that big changes are in the works. First of all, a brand new channel will be created for PEAR’s new PHP5+ packages, and a brand new installer is being created for these packages. The new installer will be named “Pyrus” (pyrus is the genus of the pear fruit), and the new channel is yet to be named, so if you have any ideas, feel free to post comments to this blog entry to help us come up with a good one. In addition, new packages written for this new channel will be hosted in a new Subversion repository to be hosted at svn.pear.php.net

More details about Pyrus will be forthcoming as the code is written. Currently, it lives in http://cvs.php.net/viewvc.cgi/pear-core/PEAR2 and is very much pre-devel stability.

Thanks for using PEAR, the best is yet to come!

Greg

Welcome to PEAR

Greg — Wed, 30 May 2007 05:37:37 +0000

It’s been a great ride so far.

PEAR has undergone a minor revolution in culture in the past several months, and as your newly elected president, I’m excited to start telling you about it. This blog is just one example of the new ways PEAR will be reaching out to the larger PHP community. Although the transfer of power to the newly elected PEAR Group finally completed on May 25 with the election of Paul Jones as the final member, already activity to make some significant changes has taken place.

The PEAR Group will be deciding most of the details, it is my job to reach out to you, programmers of PHP who are looking for a faster or better way to solve the problems you solve every day so that you can focus on the important things.

Plans are well under way to ramp up activity on promoting PHP 5 with new PEAR packages, and we have heard the criticisms loud and clear of the first incarnation of PEAR. Fortunately, we also know what is working and have no plans to throw the baby out with the bathwater. At this stage, I can’t go into details, as official policy has to be decided by the PEAR Group (next meeting is on June 3, so expect news quite soon), but stay tuned to this blog for up-to-the-minute musings by members of the PEAR Group and myself as PEAR blossoms in its new spring.