The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[RHSA-2002:102-26] New PHP packages fix vulnerability in safemode


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 20 Aug 2002 11:23 -0400
From: [email protected]
To: [email protected], [email protected]
Subject: [RHSA-2002:102-26] New PHP packages fix vulnerability in safemode

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory

Synopsis:          New PHP packages fix vulnerability in safemode
Advisory ID:       RHSA-2002:102-26
Issue date:        2002-05-27
Updated on:        2002-08-19
Product:           Red Hat Linux
Ключевые слова: , , , , , , , , , mail, PHP, safemode, 5th, parameter,  (найти похожие документы)
Cross references:=20=20 Obsoletes: RHSA-2002:035 CVE Names: CAN-2001-1246 --------------------------------------------------------------------- 1. Topic: PHP versions earlier than 4.1.0 contain a vulnerability that could allow arbitrary commands to be executed. 2. Relevant releases/architectures: Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, ia64 Red Hat Linux 7.3 - i386 3. Problem description: PHP is an HTML-embedded scripting language commonly used with Apache. PHP versions 4.0.5 through 4.1.0 in safe mode do not properly cleanse the 5th parameter to the mail() function. This vulnerability allows local users and possibly remote attackers to execute arbitrary commands via shell metacharacters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-1246 to this issue. Red Hat Linux version 7.2 shipped with PHP 4.0.6 by default, which is vulnerable to this issue. Versions of Red Hat Linux before 7.2 shipped with an earlier version of PHP not vulnerable to this issue. However, if the the most recent errata (RHSA-2002:035) was applied to these systems, then they *are* vulnerable and should be upgraded. It is highly recommended that all users of PHP upgrade to these errata packages, which are not vulnerable to this issue. Please Note: This PHP errata enforces memory limits on the size of the PHP process to prevent a badly generated script from becoming a possible source for a denial of service attack. The default process size is 8Mb though you can adjust this as you deem necessary thought the php.ini directive memory_limit. For example, to change the process memory limit to 4MB, add the following: memory_limit 4194304 Important Note: There are special instructions you should follow regarding your /etc/php.ini configuration file in the <b>Solution</b> section below. 4. Solution: Please note that the /etc/php.ini configuration file is not replaced or overwritten. You should carefully review your configuration file and adapt it to your server or service functions. Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. RPMs required: Red Hat Linux 7.0: SRPMS: ftp://updates.redhat.com/7.0/en/os/SRPMS/php-4.1.2-7.0.3.src.rpm alpha: ftp://updates.redhat.com/7.0/en/os/alpha/php-4.1.2-7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-manual-4.1.2-7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-odbc-4.1.2-7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-imap-4.1.2-7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-mysql-4.1.2-7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-devel-4.1.2-7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-snmp-4.1.2-7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-ldap-4.1.2-7.0.3.alpha.rpm ftp://updates.redhat.com/7.0/en/os/alpha/php-pgsql-4.1.2-7.0.3.alpha.rpm i386: ftp://updates.redhat.com/7.0/en/os/i386/php-4.1.2-7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-manual-4.1.2-7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-odbc-4.1.2-7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-imap-4.1.2-7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-mysql-4.1.2-7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-devel-4.1.2-7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-snmp-4.1.2-7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-ldap-4.1.2-7.0.3.i386.rpm ftp://updates.redhat.com/7.0/en/os/i386/php-pgsql-4.1.2-7.0.3.i386.rpm Red Hat Linux 7.1: SRPMS: ftp://updates.redhat.com/7.1/en/os/SRPMS/php-4.1.2-7.1.3.src.rpm alpha: ftp://updates.redhat.com/7.1/en/os/alpha/php-4.1.2-7.1.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-manual-4.1.2-7.1.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-odbc-4.1.2-7.1.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-imap-4.1.2-7.1.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-mysql-4.1.2-7.1.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-devel-4.1.2-7.1.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-snmp-4.1.2-7.1.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-ldap-4.1.2-7.1.3.alpha.rpm ftp://updates.redhat.com/7.1/en/os/alpha/php-pgsql-4.1.2-7.1.3.alpha.rpm i386: ftp://updates.redhat.com/7.1/en/os/i386/php-4.1.2-7.1.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-manual-4.1.2-7.1.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-odbc-4.1.2-7.1.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-imap-4.1.2-7.1.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-mysql-4.1.2-7.1.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-devel-4.1.2-7.1.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-snmp-4.1.2-7.1.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-ldap-4.1.2-7.1.3.i386.rpm ftp://updates.redhat.com/7.1/en/os/i386/php-pgsql-4.1.2-7.1.3.i386.rpm ia64: ftp://updates.redhat.com/7.1/en/os/ia64/php-4.1.2-7.1.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-manual-4.1.2-7.1.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-odbc-4.1.2-7.1.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-imap-4.1.2-7.1.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-mysql-4.1.2-7.1.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-devel-4.1.2-7.1.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-snmp-4.1.2-7.1.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-ldap-4.1.2-7.1.3.ia64.rpm ftp://updates.redhat.com/7.1/en/os/ia64/php-pgsql-4.1.2-7.1.3.ia64.rpm Red Hat Linux 7.2: SRPMS: ftp://updates.redhat.com/7.2/en/os/SRPMS/php-4.1.2-7.2.3.src.rpm i386: ftp://updates.redhat.com/7.2/en/os/i386/php-4.1.2-7.2.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-manual-4.1.2-7.2.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-odbc-4.1.2-7.2.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-imap-4.1.2-7.2.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-mysql-4.1.2-7.2.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-devel-4.1.2-7.2.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-snmp-4.1.2-7.2.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-ldap-4.1.2-7.2.3.i386.rpm ftp://updates.redhat.com/7.2/en/os/i386/php-pgsql-4.1.2-7.2.3.i386.rpm ia64: ftp://updates.redhat.com/7.2/en/os/ia64/php-4.1.2-7.2.3.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-manual-4.1.2-7.2.3.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-odbc-4.1.2-7.2.3.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-imap-4.1.2-7.2.3.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-mysql-4.1.2-7.2.3.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-devel-4.1.2-7.2.3.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-snmp-4.1.2-7.2.3.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-ldap-4.1.2-7.2.3.ia64.rpm ftp://updates.redhat.com/7.2/en/os/ia64/php-pgsql-4.1.2-7.2.3.ia64.rpm Red Hat Linux 7.3: SRPMS: ftp://updates.redhat.com/7.3/en/os/SRPMS/php-4.1.2-7.3.3.src.rpm i386: ftp://updates.redhat.com/7.3/en/os/i386/php-4.1.2-7.3.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/php-manual-4.1.2-7.3.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/php-odbc-4.1.2-7.3.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/php-imap-4.1.2-7.3.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/php-mysql-4.1.2-7.3.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/php-devel-4.1.2-7.3.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/php-snmp-4.1.2-7.3.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/php-ldap-4.1.2-7.3.3.i386.rpm ftp://updates.redhat.com/7.3/en/os/i386/php-pgsql-4.1.2-7.3.3.i386.rpm 6. Verification: MD5 sum Package Name -------------------------------------------------------------------------- a2ee962d03d4a66d8b4f064aa7bc4596 7.0/en/os/SRPMS/php-4.1.2-7.0.3.src.rpm 750e7b91eb1b948c1ada6b6e14745019 7.0/en/os/alpha/php-4.1.2-7.0.3.alpha.rpm 7e8630c06b5387206308b2d58d3d2e27 7.0/en/os/alpha/php-devel-4.1.2-7.0.3.alph= a.rpm e99a263708ed7344d6b0dca89a7bedd7 7.0/en/os/alpha/php-imap-4.1.2-7.0.3.alpha= .rpm f9383dea9e04cb29329d40703e83dc9d 7.0/en/os/alpha/php-ldap-4.1.2-7.0.3.alpha= .rpm 37f80225c1bc981140ff08b675333f44 7.0/en/os/alpha/php-manual-4.1.2-7.0.3.alp= ha.rpm 322b0acb43409534b969741d1059158f 7.0/en/os/alpha/php-mysql-4.1.2-7.0.3.alph= a.rpm 244f984a506cb4e4ba8ede42d52890ad 7.0/en/os/alpha/php-odbc-4.1.2-7.0.3.alpha= .rpm 5cd223c968ba2dd19e6851ab2b650edd 7.0/en/os/alpha/php-pgsql-4.1.2-7.0.3.alph= a.rpm ee25efa287c33c897141564a21ce3f25 7.0/en/os/alpha/php-snmp-4.1.2-7.0.3.alpha= .rpm df35c9aeaf9c254b0489d173ecc7d248 7.0/en/os/i386/php-4.1.2-7.0.3.i386.rpm e7a51b96b17f65471d7e900af418405b 7.0/en/os/i386/php-devel-4.1.2-7.0.3.i386.= rpm b30b20df764294804528efad22a9a232 7.0/en/os/i386/php-imap-4.1.2-7.0.3.i386.r= pm 524665531d576c6e8dbe4ca0588138a0 7.0/en/os/i386/php-ldap-4.1.2-7.0.3.i386.r= pm 6e7c5348752eff801507a5474bc523f8 7.0/en/os/i386/php-manual-4.1.2-7.0.3.i386= .rpm 9ffd7688ed63a65dc2ba45a39775dfac 7.0/en/os/i386/php-mysql-4.1.2-7.0.3.i386.= rpm 97270c6acfb9a7b81b2640fc233d2a80 7.0/en/os/i386/php-odbc-4.1.2-7.0.3.i386.r= pm 42760e93ad046f1d355a48b0d65d5506 7.0/en/os/i386/php-pgsql-4.1.2-7.0.3.i386.= rpm 8775b297d5b31e0637ba408ffbc35fcf 7.0/en/os/i386/php-snmp-4.1.2-7.0.3.i386.r= pm 22eb1586d39c15f391289576cc86df48 7.1/en/os/SRPMS/php-4.1.2-7.1.3.src.rpm a21ba4abbf2316c753f8e52e6e47f002 7.1/en/os/alpha/php-4.1.2-7.1.3.alpha.rpm 059fafb0eced5dfe9cecf9150f8ecdff 7.1/en/os/alpha/php-devel-4.1.2-7.1.3.alph= a.rpm e912f96d952301e59ee292e6a09c5d17 7.1/en/os/alpha/php-imap-4.1.2-7.1.3.alpha= .rpm 3d01db9cd6c18387fc86bad872f19996 7.1/en/os/alpha/php-ldap-4.1.2-7.1.3.alpha= .rpm b02be8a598b1e35847a5717691cfd4eb 7.1/en/os/alpha/php-manual-4.1.2-7.1.3.alp= ha.rpm 509faf7624f199aa0998608a01067d11 7.1/en/os/alpha/php-mysql-4.1.2-7.1.3.alph= a.rpm 89bc30f6f02235261235758419615d85 7.1/en/os/alpha/php-odbc-4.1.2-7.1.3.alpha= .rpm 7c88ce1fb8060de300ea6575324b9964 7.1/en/os/alpha/php-pgsql-4.1.2-7.1.3.alph= a.rpm f1a0ef5807f55c6df45002feff5be0aa 7.1/en/os/alpha/php-snmp-4.1.2-7.1.3.alpha= .rpm 0e91ea0f81ad8f2e3c14d9599efc864b 7.1/en/os/i386/php-4.1.2-7.1.3.i386.rpm c8f574834d7acbda486119f52ee0b0d7 7.1/en/os/i386/php-devel-4.1.2-7.1.3.i386.= rpm beaa1ce1217afc83cdeebfba9163c7c1 7.1/en/os/i386/php-imap-4.1.2-7.1.3.i386.r= pm 41fcabdc59a3f417623dc9c963a6b45d 7.1/en/os/i386/php-ldap-4.1.2-7.1.3.i386.r= pm 9dfb36f4ded01b1d94387a1ac9f87a76 7.1/en/os/i386/php-manual-4.1.2-7.1.3.i386= .rpm 60e4469799954c8a36632fc2e753de11 7.1/en/os/i386/php-mysql-4.1.2-7.1.3.i386.= rpm b74c269986aaa4ba4f3f149efbc611da 7.1/en/os/i386/php-odbc-4.1.2-7.1.3.i386.r= pm a043736dd3ae42823bc1e608c50aee97 7.1/en/os/i386/php-pgsql-4.1.2-7.1.3.i386.= rpm 6a12c67b6f383d498eef598b193775ad 7.1/en/os/i386/php-snmp-4.1.2-7.1.3.i386.r= pm 87ad9a08a1fd3a835581c266639d0d87 7.1/en/os/ia64/php-4.1.2-7.1.3.ia64.rpm e74adc2cfeefeb9522244410bac2db38 7.1/en/os/ia64/php-devel-4.1.2-7.1.3.ia64.= rpm ff472ad79eca51960a3b0286e5bdf48d 7.1/en/os/ia64/php-imap-4.1.2-7.1.3.ia64.r= pm 009f887ea1e3168e031605055c73e44e 7.1/en/os/ia64/php-ldap-4.1.2-7.1.3.ia64.r= pm da6c1c091989de604f316c48a4c4b757 7.1/en/os/ia64/php-manual-4.1.2-7.1.3.ia64= .rpm c11d30cd25d2565ba941857e3a60a7a2 7.1/en/os/ia64/php-mysql-4.1.2-7.1.3.ia64.= rpm 166f9ac22b4faf7e4aab0495d1a1467c 7.1/en/os/ia64/php-odbc-4.1.2-7.1.3.ia64.r= pm ce1c8f7f04c6d150c20210d2071a88b6 7.1/en/os/ia64/php-pgsql-4.1.2-7.1.3.ia64.= rpm ff02ebff8b568a476e7d2469a5db901a 7.1/en/os/ia64/php-snmp-4.1.2-7.1.3.ia64.r= pm 17767caa1c540ae7467032b507dc537b 7.2/en/os/SRPMS/php-4.1.2-7.2.3.src.rpm 5ee69c9773909727327b52ac257f9c7f 7.2/en/os/i386/php-4.1.2-7.2.3.i386.rpm 7660b8e758d56a6b176ecfc9b511e0f1 7.2/en/os/i386/php-devel-4.1.2-7.2.3.i386.= rpm 0fcdfc60bdb7984f676f1f1433307f02 7.2/en/os/i386/php-imap-4.1.2-7.2.3.i386.r= pm 422f4977bf916c14ade9b1f508279f5a 7.2/en/os/i386/php-ldap-4.1.2-7.2.3.i386.r= pm 69f78016ffdbde0b250548d04653a78e 7.2/en/os/i386/php-manual-4.1.2-7.2.3.i386= .rpm d50c9c8054bb98eb18b2233392c7791f 7.2/en/os/i386/php-mysql-4.1.2-7.2.3.i386.= rpm c9a434dec3de1aa47a43f8fe1977eab1 7.2/en/os/i386/php-odbc-4.1.2-7.2.3.i386.r= pm 8a9781796430c4c11b490e8bfe9aa1d1 7.2/en/os/i386/php-pgsql-4.1.2-7.2.3.i386.= rpm f5feae57a884690a8c20098938371af8 7.2/en/os/i386/php-snmp-4.1.2-7.2.3.i386.r= pm 716e0dd9ea1049c4c38957120d41aaf5 7.2/en/os/ia64/php-4.1.2-7.2.3.ia64.rpm 42702bc5eef0a42b2be3b6562ff48a73 7.2/en/os/ia64/php-devel-4.1.2-7.2.3.ia64.= rpm a9bf2a4cca701b9fe83c5f6e9e9ae4e2 7.2/en/os/ia64/php-imap-4.1.2-7.2.3.ia64.r= pm 18ae95909ca09ec897e313828b9d3eb8 7.2/en/os/ia64/php-ldap-4.1.2-7.2.3.ia64.r= pm 6223f95f7279913fde43c992fe17301a 7.2/en/os/ia64/php-manual-4.1.2-7.2.3.ia64= .rpm 649c0fa4c72ac1bb9e08c935dba3ce7d 7.2/en/os/ia64/php-mysql-4.1.2-7.2.3.ia64.= rpm 0ce6494f01975351bd926beec07c3a7f 7.2/en/os/ia64/php-odbc-4.1.2-7.2.3.ia64.r= pm 7fd8108c6fa9f553516dfb4c6d857cf0 7.2/en/os/ia64/php-pgsql-4.1.2-7.2.3.ia64.= rpm 53377d928d58310481097ae001689da8 7.2/en/os/ia64/php-snmp-4.1.2-7.2.3.ia64.r= pm 91f6379bc8ada6024971b80c6d553cca 7.3/en/os/SRPMS/php-4.1.2-7.3.3.src.rpm 236c34f6696dfce574270e05f53d863b 7.3/en/os/i386/php-4.1.2-7.3.3.i386.rpm b1d20691d59cd9cef8b0e6671099c216 7.3/en/os/i386/php-devel-4.1.2-7.3.3.i386.= rpm 34e57c7bc9ea368f9d4e32a1e2d1e908 7.3/en/os/i386/php-imap-4.1.2-7.3.3.i386.r= pm 1fdc4d0de35fc93e66ec6601b8b32b03 7.3/en/os/i386/php-ldap-4.1.2-7.3.3.i386.r= pm 02d02c10053f3738e13180520af22b1c 7.3/en/os/i386/php-manual-4.1.2-7.3.3.i386= .rpm 98e8d5b9458d5dc26d57c5216e7d0877 7.3/en/os/i386/php-mysql-4.1.2-7.3.3.i386.= rpm 9fb7dc54903aae71b907b4f86544e80e 7.3/en/os/i386/php-odbc-4.1.2-7.3.3.i386.r= pm c664feafa07b2b1f754e0cc37bcc0eeb 7.3/en/os/i386/php-pgsql-4.1.2-7.3.3.i386.= rpm c1de92828fedb0e88ed73a6ba4c94303 7.3/en/os/i386/php-snmp-4.1.2-7.3.3.i386.r= pm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/about/contact/pgpkey.html You can verify each package with the following command: rpm --checksig <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg <filename> 7. References: http://online.securityfocus.com/archive/1/194425 http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2001-1246 Copyright(c) 2000, 2001, 2002 Red Hat, Inc.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру