<<< Date Index >>>     <<< Thread Index >>>

MDKSA-2004:068 - Updated php packages fix multiple vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           php
 Advisory ID:            MDKSA-2004:068
 Date:                   July 14th, 2004

 Affected versions:      10.0, 9.1, 9.2, Corporate Server 2.1,
                         Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 Stefan Esser discovered a remotely exploitable vulnerability in PHP
 where a remote attacker could trigger a memory_limit request
 termination in places where an interruption is unsafe.  This could be
 used to execute arbitrary code.
 
 As well, Stefan Esser also found a vulnerability in the handling of
 allowed tags within PHP's strip_tags() function.  This could lead to
 a number of XSS issues on sites that rely on strip_tags(); however,
 this only seems to affect the Internet Explorer and Safari browsers.
 
 The updated packages have been patched to correct the problem and
 all users are encouraged to upgrade immediately.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0594
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0595
  http://security.e-matters.de/advisories/112004.html
  http://security.e-matters.de/advisories/122004.html
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 62cdddfba4a6efda574d9a7fbade926a  
10.0/RPMS/libphp_common432-4.3.4-4.1.100mdk.i586.rpm
 c71dc50bc4db1eef210dcdb17bfefb84  10.0/RPMS/php-cgi-4.3.4-4.1.100mdk.i586.rpm
 41ec866b7f9017e5e9697f758d96b7dd  10.0/RPMS/php-cli-4.3.4-4.1.100mdk.i586.rpm
 6cf53b4acfaf964f2ad27c26c7522850  
10.0/RPMS/php432-devel-4.3.4-4.1.100mdk.i586.rpm
 805c5ba7b90fd4e53fc09b46d2e4c00c  10.0/SRPMS/php-4.3.4-4.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 8f7909d54dca79d0778754a78447c378  
amd64/10.0/RPMS/lib64php_common432-4.3.4-4.1.100mdk.amd64.rpm
 378466839541330d72df496acc9cd9da  
amd64/10.0/RPMS/php-cgi-4.3.4-4.1.100mdk.amd64.rpm
 3e6b698ba65fd6acb035d97f7c872c79  
amd64/10.0/RPMS/php-cli-4.3.4-4.1.100mdk.amd64.rpm
 62693eda687695449ff61aee7af8b844  
amd64/10.0/RPMS/php432-devel-4.3.4-4.1.100mdk.amd64.rpm
 805c5ba7b90fd4e53fc09b46d2e4c00c  amd64/10.0/SRPMS/php-4.3.4-4.1.100mdk.src.rpm

 Corporate Server 2.1:
 e1326fedc5957661efd6eec69c4e66cf  
corporate/2.1/RPMS/php-4.2.3-4.2.C21mdk.i586.rpm
 31337953ddfec7c379c8bcad70e97f7f  
corporate/2.1/RPMS/php-common-4.2.3-4.2.C21mdk.i586.rpm
 346f004bb741c5d3a279d495eadc61c5  
corporate/2.1/RPMS/php-devel-4.2.3-4.2.C21mdk.i586.rpm
 91ef39ceeb256c72f449ebd2f73fdc3a  
corporate/2.1/RPMS/php-pear-4.2.3-4.2.C21mdk.i586.rpm
 06a1c08156a866f9b78e1949df881425  
corporate/2.1/SRPMS/php-4.2.3-4.2.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 da53a0003ad75379dd473ca297c9b4f0  
x86_64/corporate/2.1/RPMS/php-4.2.3-4.2.C21mdk.x86_64.rpm
 190da4dbf19fd83c3e8b2db3ebe7e186  
x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.2.C21mdk.x86_64.rpm
 7c32a33ced47f7feaf47f801718b6d8d  
x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.2.C21mdk.x86_64.rpm
 0a747e5e17d82642f77cdfee44afe201  
x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.2.C21mdk.x86_64.rpm
 06a1c08156a866f9b78e1949df881425  
x86_64/corporate/2.1/SRPMS/php-4.2.3-4.2.C21mdk.src.rpm

 Mandrakelinux 9.1:
 53e9be87d1e87c11384c78e656fb045b  
9.1/RPMS/libphp_common430-430-11.2.91mdk.i586.rpm
 d726c6e61503ace236d41e96dd2aacc4  9.1/RPMS/php-cgi-4.3.1-11.2.91mdk.i586.rpm
 c0f0638a6977b0747b9cef6421f0baa2  9.1/RPMS/php-cli-4.3.1-11.2.91mdk.i586.rpm
 846433aa57319fcf5ab760bb784c7f60  9.1/RPMS/php430-devel-430-11.2.91mdk.i586.rpm
 68d0872d095bdb4976541debcdaa11d7  9.1/SRPMS/php-4.3.1-11.2.91mdk.src.rpm

 Mandrakelinux 9.1/PPC:
 929514cf49ddeb4ac321b20ffa6fdb49  
ppc/9.1/RPMS/libphp_common430-430-11.2.91mdk.ppc.rpm
 429cafb67ce1e36012eabad5c46d0a26  ppc/9.1/RPMS/php-cgi-4.3.1-11.2.91mdk.ppc.rpm
 0bab7923e30ccaf668a04b41925adc0b  ppc/9.1/RPMS/php-cli-4.3.1-11.2.91mdk.ppc.rpm
 af5f2be485dad26cb88103f3373a8188  
ppc/9.1/RPMS/php430-devel-430-11.2.91mdk.ppc.rpm
 68d0872d095bdb4976541debcdaa11d7  ppc/9.1/SRPMS/php-4.3.1-11.2.91mdk.src.rpm

 Mandrakelinux 9.2:
 f731f578cdb9d458c4880a48f20c0027  
9.2/RPMS/libphp_common432-4.3.3-2.1.92mdk.i586.rpm
 732ba08087b14490c057a9454c6b706d  9.2/RPMS/php-cgi-4.3.3-2.1.92mdk.i586.rpm
 d7aeca9053611e06ddeeb374ebc38fd5  9.2/RPMS/php-cli-4.3.3-2.1.92mdk.i586.rpm
 dfdbda0df15baea7861646b4c42eb1d2  
9.2/RPMS/php432-devel-4.3.3-2.1.92mdk.i586.rpm
 8495c4332df4f8262d3f0b9b2b781739  9.2/SRPMS/php-4.3.3-2.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 7440678e5a938931b88953232c5c2a46  
amd64/9.2/RPMS/lib64php_common432-4.3.3-2.1.92mdk.amd64.rpm
 4375a9c46be6b1ef103959253b469035  
amd64/9.2/RPMS/php-cgi-4.3.3-2.1.92mdk.amd64.rpm
 3cd4c385732e3b31b9f20fa93b6a7ee5  
amd64/9.2/RPMS/php-cli-4.3.3-2.1.92mdk.amd64.rpm
 dbf7471c02799c02a32e46a727ee87f3  
amd64/9.2/RPMS/php432-devel-4.3.3-2.1.92mdk.amd64.rpm
 8495c4332df4f8262d3f0b9b2b781739  amd64/9.2/SRPMS/php-4.3.3-2.1.92mdk.src.rpm

 Multi Network Firewall 8.2:
 f91aac5bc43fa5c79317b8dd2d6fbfb2  
mnf8.2/RPMS/php-common-4.1.2-1.3.M82mdk.i586.rpm
 9805edbc685f9418c54e9ea20f968b15  mnf8.2/SRPMS/php-4.1.2-1.3.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFA9b+NmqjQ0CJFipgRAgpzAKC+Hc4A1Z03TdP+VIUZGXhcu68NywCfeBVS
nfMtnYgAlOVkymEQmxRo7H8=
=EaFK
-----END PGP SIGNATURE-----