[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308121804.55278.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 12/Aug/2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 12/Aug/2003
============================================================
The following page contains the security information of Turbolinux Inc.
- Turbolinux Security Center
http://www.turbolinux.com/security/
(1) php -> Cross-site scripting vulnerability
===========================================================
* php -> Cross-site scripting vulnerability
===========================================================
More information :
PHP is an HTML-embedded scripting language.
The cross-site scripting vulnerability is in the transparent SID support capability for PHP.
Impact :
An attacker could use this vulnerability to execute embedded scripts within
the context of the generated page.
Affected Products :
- Turbolinux 8 Server
- Turbolinux 8 Workstation
Solution :
Please either use turbopkg tool to apply the update or turn off the
session.use_trans_sid in php.ini.
(session.use_trans_sid is disabled by default.)
<Turbolinux 8 Server>
Source Packages
Size : MD5
php-4.2.3-10.src.rpm
3586620 5709a5dbd9500950b7e00e3396a9d330
Binary Packages
Size : MD5
php-4.2.3-10.i586.rpm
1630251 bcc1e022d5e6df866e577f656365584d
php-gd-4.2.3-10.i586.rpm
30516 7edac00a593a1d38aaa03d4dedd4d6fe
php-imap-4.2.3-10.i586.rpm
8486 2254538bd3830eb670dadad838d7065b
php-ldap-4.2.3-10.i586.rpm
23911 b19524bd75404fa30476ccc7602fa72d
php-manual-4.2.3-10.i586.rpm
340817 5b8cfe4a048cd613016d1b0671888633
php-ming-4.2.3-10.i586.rpm
32512 34e9946c1d7ee60635de23a45f04a23b
php-mysql-4.2.3-10.i586.rpm
90113 ff1138d5943a3b0d0e6476fba66c9605
php-pgsql-4.2.3-10.i586.rpm
34736 264b22c0d343661efc47fbd1999fea3c
<Turbolinux 8 Workstation>
Source Packages
Size : MD5
php-4.2.3-10.src.rpm
3586620 c0243a3f31b1e411f519d0f3075ddce7
Binary Packages
Size : MD5
php-4.2.3-10.i586.rpm
1629986 c08e4fa8a0ee72eadb443494f759c3d2
php-gd-4.2.3-10.i586.rpm
30538 f0dded8c660e80224299bead30f2edeb
php-imap-4.2.3-10.i586.rpm
8531 8819a72730c5b35160368af26ae8e083
php-ldap-4.2.3-10.i586.rpm
23999 314f1bf0b3930b8215e23033378f7b46
php-manual-4.2.3-10.i586.rpm
341064 c54b1703ac92f0b894c775cf4caac5df
php-ming-4.2.3-10.i586.rpm
32535 3d05088f3916b3a9e8cea5264f5e7829
php-mysql-4.2.3-10.i586.rpm
90146 6dad78932d7ffa3971c43b4a9bccac52
php-pgsql-4.2.3-10.i586.rpm
34833 961df7f936cf1e191631bd48307e5780
session.use_trans_sid is disabled
[/etc/httpd/php.ini]
------------------------------
session.use_trans_sid = 0
------------------------------
References :
CVE
[CAN-2003-0422]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442
* You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.
http://www.turbolinux.com/download/zabom.html
http://www.turbolinux.com/download/zabomupdate.html
Package Update Path
http://www.turbolinux.com/update
============================================================
* To obtain the public key
Here is the public key
http://www.turbolinux.com/security/
* To unsubscribe from the list
If you ever want to remove yourself from this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).
unsubscribe
* To change your email address
If you ever want to chage email address in this mailing list,
you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:
chaddr 'old address' 'new address'
If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>
Thank you!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/OK2RK0LzjOqIJMwRAs/SAJ44tJQ0TECCQCdxV30uw5V6nr4D6gCgsF26
h8ljRuSppulO41/a8bwWMNc=
=CMaD
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists