lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42E99E25.6050105@videotron.ca>
Date: Thu, 28 Jul 2005 23:10:29 -0400
From: Marc Deslauriers <marcdeslauriers@...eotron.ca>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [FLSA-2005:163559] Updated php packages fix
	security issues

---------------------------------------------------------------------
               Fedora Legacy Update Advisory

Synopsis:          Updated php packages fix security issues
Advisory ID:       FLSA:163559
Issue date:        2005-07-28
Product:           Fedora Core
Keywords:          Bugfix
CVE Names:         CAN-2005-1751 CAN-2005-1921
---------------------------------------------------------------------


---------------------------------------------------------------------
1. Topic:

Updated PHP packages that fix two security issues are now available.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

2. Relevant releases/architectures:

Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was discovered in the PEAR XML-RPC Server package included in PHP.
If a PHP script is used which implements an XML-RPC Server using the
PEAR XML-RPC package, then it is possible for a remote attacker to
construct an XML-RPC request which can cause PHP to execute arbitrary
PHP commands as the 'apache' user. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2005-1921 to
this issue.

A race condition in temporary file handling was discovered in the shtool
script installed by PHP. If a third-party PHP module which uses shtool
was compiled as root, a local user may be able to modify arbitrary
files. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2005-1751 to this issue.

Users of PHP should upgrade to these updated packages, which contain
backported fixes for these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which
are not installed but included in the list will not be updated.  Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt.  Many
people find this an easier way to apply updates.  To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system.  This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163559

6. RPMs required:

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.2.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/php-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc2.3.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/php-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm

7. Verification:

SHA1 sum                                 Package Name
---------------------------------------------------------------------

171656872d0f5824fcb30fcef4309d7fa012d9c5
fedora/1/updates/i386/php-4.3.11-1.fc1.2.legacy.i386.rpm
04f3e47079d7a5240806b4fb26a5d5f1786e838e
fedora/1/updates/i386/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm
b53f067e610d6f312403a30c8ba702d377bad46a
fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm
45a976dde09647657d1db340598ca25403f3875c
fedora/1/updates/i386/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm
cabf9c604343977f0ff2db609e8ed9a85828dce1
fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm
0c31e1138c74bd508c298b547372a7cdf621e8ec
fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm
17f9d2c41ae2762eb9d6f4910cfd86f992b96871
fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm
2452bc637bf072d2906e9267a86fae65de4b580e
fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm
483e46c97dce391ec770b7095ce26eb929179b3a
fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm
f30e91737a2003f853ef783464a735718a3396bf
fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm
e36b3e123516ad54651eb32cfd91af219769f19a
fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm
56e68f7e47d59ba10dfef0f6b34ac203b88e80ae
fedora/1/updates/SRPMS/php-4.3.11-1.fc1.2.legacy.src.rpm
cf09a945e599887705e6b3cd0ff31bd6ae5c016c
fedora/2/updates/i386/php-4.3.11-1.fc2.3.legacy.i386.rpm
42d388c0b0245b68809e9d26f38ba45c42065d7c
fedora/2/updates/i386/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm
9a8c40612bc6ae96b8aace4763b3302bfe88f4ac
fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm
0bf81586c0794af8baba6dc407df1894ce5143a5
fedora/2/updates/i386/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm
acf5d4c20689f1de12ca3c00758fd7b9fb10be45
fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm
28698222a4268b9748e2ec22418f030ce8ad68d4
fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm
fd9a5a444b8170277bbb94edf2c5cbb2d0b0a0e1
fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm
fcdb53ff36392e98eb8695e3a3a6d7aef382ad18
fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm
778c9b93507a5977ab00f479d6a55ef62e360f0b
fedora/2/updates/i386/php-pear-4.3.11-1.fc2.3.legacy.i386.rpm
29cf0cad08a2735ac26226a2012b8b91f63ca7ba
fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm
81fca59193d5d2ee72f6960ee8887f82c036f02d
fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm
ef0ab724d7228333d416effbc5f1da250db68fe8
fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm
761cd56c659e8c8fa83cdde3a695a1113bf8c2b5
fedora/2/updates/SRPMS/php-4.3.11-1.fc2.3.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security.  Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

    sha1sum <filename>

8. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921

9. Contact:

The Fedora Legacy security contact is <secnotice@...oralegacy.org>. More
project details at http://www.fedoralegacy.org

---------------------------------------------------------------------

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ