Date: Fri, 6 Oct 2006 14:51:53 +0100
From: Trustix Security Advisor <tsl@trustix.org.>
To: [email protected]Subject: TSLSA-2006-0055 - multi
Message-ID: <20061006135153.GA13513@tsunami.trustix.net.>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2006-0055
Package names: openldap, php, php4
Summary: Multiple vulnerabilities
Date: 2006-10-06
Affected versions: Trustix Secure Linux 2.2
Trustix Secure Linux 3.0
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
openldap
OpenLDAP is an open-source suite of LDAP (Lightweight Directory
Access Protocol) applications and development tools. LDAP is a set
of protocols for accessing directory services (usually phone book
style information, but other information is possible) over the
Internet, similar to the way DNS (Domain Name System) information
is propagated over the Internet. This package contains the slapd
and slurpd servers, migration scripts, and related files.
php
PHP is an HTML-embedded scripting language. PHP attempts to
make it easy for developers to write dynamically generated web
pages. PHP also offers built-in database integration for several
commercial and non-commercial database management systems, so
writing a database-enabled web page with PHP is fairly simple.
The most common use of PHP coding is probably as a replacement
for CGI scripts. The mod_php module enables the Apache web server
to understand and process the embedded PHP language in web pages.
php4
PHP4 is an HTML-embedded scripting language. PHP4 attempts to
make it easy for developers to write dynamically generated web
pages. PHP4 also offers built-in database integration for several
commercial and non-commercial database management systems, so
writing a database-enabled web page with PHP is fairly simple.
The most common use of PHP coding is probably as a replacement
for CGI scripts. The mod_php module enables the Apache web server
to understand and process the embedded PHP language in web pages.
Problem description:
openldap < TSL 3.0 > < TSL 2.2 > < TSEL 2 >
- SECURITY Fix: Howard Chu has reported a security issue in
OpenLDAP, caused due to an error within the Access Control List
processing. If a user has "selfwrite" access to an attribute,
this can be exploited to modify arbitrary values of the attribute.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-4600 to this issue.
php < TSL 3.0 > < TSL 2.2 >
- SECURITY Fix: A vulnerability has been reported in PHP, caused due
to an integer overflow within the "_ecalloc" function. This can
potentially be exploited to execute arbitrary code via specially
crafted requests if a PHP script allocates memory based on attacker
supplied data.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-4812 to this issue.
php4 < TSL 2.2 >
- SECURITY Fix: A vulnerability has been reported in PHP, caused due
to an integer overflow within the "_ecalloc" function. This can
potentially be exploited to execute arbitrary code via specially
crafted requests if a PHP script allocates memory based on attacker
supplied data.
The Common Vulnerabilities and Exposures project has assigned the
name CVE-2006-4812 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.2/> and
<URI:http://www.trustix.org/errata/trustix-3.0/>
or directly at
<URI:http://www.trustix.org/errata/2006/0055/>
MD5sums of the packages:
- --------------------------------------------------------------------------
d80097d37fa888b41a18bd7a57ccbc9b 3.0/rpms/openldap-2.2.27-3tr.i586.rpm
c0362867bd4036abc54c699fdfe08760 3.0/rpms/openldap-devel-2.2.27-3tr.i586.rpm
e71cfc08fa0c418cfafdc334db9b4d1a 3.0/rpms/openldap-libs-2.2.27-3tr.i586.rpm
66faafb84e2ff6cd1fac6ea34264f9b5 3.0/rpms/openldap-servers-2.2.27-3tr.i586.rpm
a046fbb0717bc90dccc665e11630d0a7 3.0/rpms/openldap-utils-2.2.27-3tr.i586.rpm
69dfdf17c2faeaf941e4cf7430e4be3b 3.0/rpms/php-5.1.6-2tr.i586.rpm
1b3360646c40fc448bd83a81311a0339 3.0/rpms/php-calendar-5.1.6-2tr.i586.rpm
4eb18c44049c400071be4154f100a09b 3.0/rpms/php-cli-5.1.6-2tr.i586.rpm
38073428bc79f41ae58dc70415d70357 3.0/rpms/php-curl-5.1.6-2tr.i586.rpm
a70bab64590c1db7824ac020c46abfb4 3.0/rpms/php-dba-5.1.6-2tr.i586.rpm
5f720dd7edacf21f3b6752ed03d2e1b3 3.0/rpms/php-devel-5.1.6-2tr.i586.rpm
3a27940a8699368a8b46223ade2feefa 3.0/rpms/php-exif-5.1.6-2tr.i586.rpm
5a0452c2d37ff1f8ace2672dd1f4f00b 3.0/rpms/php-fcgi-5.1.6-2tr.i586.rpm
c97680a72955092128603eb6eee4040f 3.0/rpms/php-gd-5.1.6-2tr.i586.rpm
725e6c9831a1b3e1447f455a234a5ff0 3.0/rpms/php-imap-5.1.6-2tr.i586.rpm
e9e6471fd7961a67ed500db420048f94 3.0/rpms/php-ldap-5.1.6-2tr.i586.rpm
456fccfe4f722f49168aa8ae86abc5a4 3.0/rpms/php-mhash-5.1.6-2tr.i586.rpm
b396e7927654388d52e553833eba2631 3.0/rpms/php-mysql-5.1.6-2tr.i586.rpm
ae577271089f5f85510b49d5973cbee1 3.0/rpms/php-mysqli-5.1.6-2tr.i586.rpm
0209afbf207a556607d04085966c5555 3.0/rpms/php-pgsql-5.1.6-2tr.i586.rpm
23121b189f899f0aa6c0af87b4bd4967 3.0/rpms/php-pspell-5.1.6-2tr.i586.rpm
c3e5e6587c691ffa4204911cde208b55 3.0/rpms/php-snmp-5.1.6-2tr.i586.rpm
54440f3a46fda8ae9dde76f6fe1b2b65 3.0/rpms/php-xslt-5.1.6-2tr.i586.rpm
1a434c43b887e0eaf236f69df02b1666 3.0/rpms/php-zlib-5.1.6-2tr.i586.rpm
4630ca2d5a37012c816ea5b5031b2e95 2.2/rpms/openldap-2.1.30-6tr.i586.rpm
27f782c8102678ea0e1715cd69331067 2.2/rpms/openldap-devel-2.1.30-6tr.i586.rpm
a445426385a5472ec2af26086e39d05f 2.2/rpms/openldap-libs-2.1.30-6tr.i586.rpm
59ed3bb4109a0bc07d22eb32e87d2e06 2.2/rpms/openldap-servers-2.1.30-6tr.i586.rpm
5ff8d7729f81097ce29091f206bdfda9 2.2/rpms/openldap-utils-2.1.30-6tr.i586.rpm
e183e3af4afad3f60aa372ceb9b393d8 2.2/rpms/php-5.1.6-2tr.i586.rpm
3b88e2d2e7472e9ba5c9433847135c65 2.2/rpms/php-cli-5.1.6-2tr.i586.rpm
2a933212feb89a294c34318d4cd47b23 2.2/rpms/php-curl-5.1.6-2tr.i586.rpm
69a9638514ca4cf9752a95d52f9d4cd0 2.2/rpms/php-devel-5.1.6-2tr.i586.rpm
9ea02fc666fbb0debc5ac8d2480529fb 2.2/rpms/php-exif-5.1.6-2tr.i586.rpm
beb42ca22ccc1ce38ef3a16755b6e4c1 2.2/rpms/php-fcgi-5.1.6-2tr.i586.rpm
2bab3f6629b982eea87eeab200e47b60 2.2/rpms/php-gd-5.1.6-2tr.i586.rpm
6dec69c82312742ca6e7c3fa4771fed0 2.2/rpms/php-imap-5.1.6-2tr.i586.rpm
86fdd8b529914849e29f27e04a12737a 2.2/rpms/php-ldap-5.1.6-2tr.i586.rpm
16d4fc9461da95c0b4353fe28d37f7ee 2.2/rpms/php-mhash-5.1.6-2tr.i586.rpm
68f8320898a5b26df3e1c66830348df4 2.2/rpms/php-mysql-5.1.6-2tr.i586.rpm
8b1a8d9e467314a81bc3666f33e13ee7 2.2/rpms/php-mysqli-5.1.6-2tr.i586.rpm
5ec6b1fb211d3b5f17cffea84fbe02d7 2.2/rpms/php-pgsql-5.1.6-2tr.i586.rpm
7bfa50e5e10285f3d7401578d5dd21e1 2.2/rpms/php-zlib-5.1.6-2tr.i586.rpm
b1338d652fb22fe74eb2cbb446f0fbce 2.2/rpms/php4-4.4.4-3tr.i586.rpm
d5ba89d26196954e4d2ae6b1ba9396bf 2.2/rpms/php4-cli-4.4.4-3tr.i586.rpm
a9dfb7a215a91eed5613a539f88838fb 2.2/rpms/php4-curl-4.4.4-3tr.i586.rpm
8890c8df2df88cc499b2c78d12b72048 2.2/rpms/php4-devel-4.4.4-3tr.i586.rpm
3735f7aac3f7245cf868b1e265f09269 2.2/rpms/php4-domxml-4.4.4-3tr.i586.rpm
e92cc45f199b50976dcd05195031f0b0 2.2/rpms/php4-exif-4.4.4-3tr.i586.rpm
665783060d3c94580d74560f69a9aa49 2.2/rpms/php4-fcgi-4.4.4-3tr.i586.rpm
78c34d163e9f6c6e4ce06def985e8748 2.2/rpms/php4-gd-4.4.4-3tr.i586.rpm
b79bfadb979b0e360595e1effb3f0851 2.2/rpms/php4-imap-4.4.4-3tr.i586.rpm
8c37697edcdff82d513d4d22729b9be2 2.2/rpms/php4-ldap-4.4.4-3tr.i586.rpm
52d56ed1b8bac18a91bc639d179a0656 2.2/rpms/php4-mhash-4.4.4-3tr.i586.rpm
1e3b41a46af4506048bbf962a3a1a78d 2.2/rpms/php4-mysql-4.4.4-3tr.i586.rpm
ec7d2c0ef5d8894f2f0faa892d59a3d0 2.2/rpms/php4-pgsql-4.4.4-3tr.i586.rpm
8d416d025cf74b3f3eea0362cfa5e592 2.2/rpms/php4-test-4.4.4-3tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFFJl3Si8CEzsK9IksRAnWVAKCAKNjmEYE+YfadUwawoKMKesBWvgCfX/eO
eHIT2kUva5QoUzbrHnZPyDs=
=u3xA
-----END PGP SIGNATURE-----