lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200308121804.55278.security-announce@turbolinux.co.jp>
From: security-announce at turbolinux.co.jp (Turbolinux)
Subject: [TURBOLINUX SECURITY INFO] 12/Aug/2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 12/Aug/2003
============================================================

The following page contains the security information of Turbolinux Inc.

 - Turbolinux Security Center
   http://www.turbolinux.com/security/

 (1) php -> Cross-site scripting vulnerability


===========================================================
* php -> Cross-site scripting vulnerability
===========================================================

 More information :
    PHP is an HTML-embedded scripting language.
    The cross-site scripting vulnerability is in the transparent SID support capability for PHP.

 Impact :
    An attacker could use this vulnerability to execute embedded scripts within
    the context of the generated page.

 Affected Products :
    - Turbolinux 8 Server
    - Turbolinux 8 Workstation

 Solution :
    Please either use turbopkg tool to apply the update or turn off the
    session.use_trans_sid in php.ini.
    (session.use_trans_sid is disabled by default.)


 <Turbolinux 8 Server>

   Source Packages
   Size : MD5

   php-4.2.3-10.src.rpm
      3586620 5709a5dbd9500950b7e00e3396a9d330

   Binary Packages
   Size : MD5

   php-4.2.3-10.i586.rpm
      1630251 bcc1e022d5e6df866e577f656365584d
   php-gd-4.2.3-10.i586.rpm
        30516 7edac00a593a1d38aaa03d4dedd4d6fe
   php-imap-4.2.3-10.i586.rpm
         8486 2254538bd3830eb670dadad838d7065b
   php-ldap-4.2.3-10.i586.rpm
        23911 b19524bd75404fa30476ccc7602fa72d
   php-manual-4.2.3-10.i586.rpm
       340817 5b8cfe4a048cd613016d1b0671888633
   php-ming-4.2.3-10.i586.rpm
        32512 34e9946c1d7ee60635de23a45f04a23b
   php-mysql-4.2.3-10.i586.rpm
        90113 ff1138d5943a3b0d0e6476fba66c9605
   php-pgsql-4.2.3-10.i586.rpm
        34736 264b22c0d343661efc47fbd1999fea3c

 <Turbolinux 8 Workstation>

   Source Packages
   Size : MD5

   php-4.2.3-10.src.rpm
      3586620 c0243a3f31b1e411f519d0f3075ddce7

   Binary Packages
   Size : MD5

   php-4.2.3-10.i586.rpm
      1629986 c08e4fa8a0ee72eadb443494f759c3d2
   php-gd-4.2.3-10.i586.rpm
        30538 f0dded8c660e80224299bead30f2edeb
   php-imap-4.2.3-10.i586.rpm
         8531 8819a72730c5b35160368af26ae8e083
   php-ldap-4.2.3-10.i586.rpm
        23999 314f1bf0b3930b8215e23033378f7b46
   php-manual-4.2.3-10.i586.rpm
       341064 c54b1703ac92f0b894c775cf4caac5df
   php-ming-4.2.3-10.i586.rpm
        32535 3d05088f3916b3a9e8cea5264f5e7829
   php-mysql-4.2.3-10.i586.rpm
        90146 6dad78932d7ffa3971c43b4a9bccac52
   php-pgsql-4.2.3-10.i586.rpm
        34833 961df7f936cf1e191631bd48307e5780


 session.use_trans_sid is disabled
 [/etc/httpd/php.ini]
 ------------------------------
 session.use_trans_sid = 0
 ------------------------------


 References :

 CVE
   [CAN-2003-0422]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442


 * You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.

  http://www.turbolinux.com/download/zabom.html
  http://www.turbolinux.com/download/zabomupdate.html

Package Update Path
http://www.turbolinux.com/update

============================================================
 * To obtain the public key

Here is the public key

 http://www.turbolinux.com/security/

 * To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
  you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).

unsubscribe

 * To change your email address

If you ever want to chage email address in this mailing list,
  you can send a message to <server-users-e-ctl@...bolinux.co.jp> with
the following command in the message body:

  chaddr 'old address' 'new address'

If you have any questions or problems, please contact
<supp_info@...bolinux.co.jp>

Thank you!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/OK2RK0LzjOqIJMwRAs/SAJ44tJQ0TECCQCdxV30uw5V6nr4D6gCgsF26
h8ljRuSppulO41/a8bwWMNc=
=CMaD
-----END PGP SIGNATURE-----




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ