--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:155505 Issue date: 2005-07-10 Product: Red Hat Linux, Fedora Core Keywords: Bugfix CVE Names: CAN-2005-0524 CAN-2005-0525 CAN-2005-1042 CAN-2005-1043 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated php packages that fix various security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was found in the way PHP processes IFF and JPEG images. It is possible to cause PHP to consume CPU resources for a short period of time by supplying a carefully crafted IFF or JPEG image. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0524 and CAN-2005-0525 to these issues. A buffer overflow bug was also found in the way PHP processes EXIF image headers. It is possible for an attacker to construct an image file in such a way that it could execute arbitrary instructions when processed by PHP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1042 to this issue. A denial of service bug was found in the way PHP processes EXIF image headers. It is possible for an attacker to cause PHP to enter an infinite loop for a short period of time by supplying a carefully crafted image file to PHP for processing. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1043 to this issue. The security fixes to the "unserializer" code in the previous release introduced some performance issues. A bug fix for that issue is also included in this update. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155505 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/php-4.1.2-7.3.17.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-devel-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-imap-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-manual-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.17.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/php-4.2.2-17.14.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/php-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-devel-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-imap-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-ldap-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-manual-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-mysql-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-odbc-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-pgsql-4.2.2-17.14.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/php-snmp-4.2.2-17.14.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/php-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-devel-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-imap-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.1.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.1.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc1.1.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/php-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-devel-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-imap-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.2.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 422f8a972c62b1aa1d79e9f96cc39446852eb589 redhat/7.3/updates/i386/php-4.1.2-7.3.17.legacy.i386.rpm 7c6d48ebbfb96004baee8515ae9517dcf500f43c redhat/7.3/updates/i386/php-devel-4.1.2-7.3.17.legacy.i386.rpm 8f1837ee66212ede899189e09edf25d903a7e133 redhat/7.3/updates/i386/php-imap-4.1.2-7.3.17.legacy.i386.rpm 79d4f45a887ce9df8232911f5aab6bf5bd77369d redhat/7.3/updates/i386/php-ldap-4.1.2-7.3.17.legacy.i386.rpm 63edb9b27730ad5c782484cf4757905140ece1c2 redhat/7.3/updates/i386/php-manual-4.1.2-7.3.17.legacy.i386.rpm 39b40cb4bae1374335cf7f82fbfa02501a4ed630 redhat/7.3/updates/i386/php-mysql-4.1.2-7.3.17.legacy.i386.rpm 51d4baf10b3bc132ba9205aa6cd35615041c33bd redhat/7.3/updates/i386/php-odbc-4.1.2-7.3.17.legacy.i386.rpm 42a557e7f68f290a6cf21de4c2ad1f7fe97cf763 redhat/7.3/updates/i386/php-pgsql-4.1.2-7.3.17.legacy.i386.rpm 5753d915ad5d32c14cbbaea33a7f35a3b5b908d3 redhat/7.3/updates/i386/php-snmp-4.1.2-7.3.17.legacy.i386.rpm 576f29104b946e3773d4c7b77de5b80a942a0678 redhat/7.3/updates/SRPMS/php-4.1.2-7.3.17.legacy.src.rpm bd793f717cca20745ab9c67cb6a7b4bcebe46d93 redhat/9/updates/i386/php-4.2.2-17.14.legacy.i386.rpm 8df50f63c5d3525a4359a72587c6b902d8a3325f redhat/9/updates/i386/php-devel-4.2.2-17.14.legacy.i386.rpm 665060794635ded7a76eaccb46cd09ffd04900ea redhat/9/updates/i386/php-imap-4.2.2-17.14.legacy.i386.rpm 8b34f184aba7260a8eac2708e12e906c877c10cd redhat/9/updates/i386/php-ldap-4.2.2-17.14.legacy.i386.rpm 1450f499aeac4db7d0d8c258b72d2f4c31747012 redhat/9/updates/i386/php-manual-4.2.2-17.14.legacy.i386.rpm 37cb28e9531af331954903f6b8df8509aa962a5c redhat/9/updates/i386/php-mysql-4.2.2-17.14.legacy.i386.rpm aa0378307ef06cd7f3464e59f4153d11d1d372f5 redhat/9/updates/i386/php-odbc-4.2.2-17.14.legacy.i386.rpm 00b4e55c27460abaa6d02019d7b40a73d5bdd913 redhat/9/updates/i386/php-pgsql-4.2.2-17.14.legacy.i386.rpm 8b9cf1cdafdf8f1afa9587c1f180d685632c1c65 redhat/9/updates/i386/php-snmp-4.2.2-17.14.legacy.i386.rpm 7bf7cf164de61276adf952694ee7c7d2fb86ea2e redhat/9/updates/SRPMS/php-4.2.2-17.14.legacy.src.rpm ca0fa574e713f27e91548a2e3e4dc2e8b087ff47 fedora/1/updates/i386/php-4.3.11-1.fc1.1.legacy.i386.rpm 53c419397f8f3f7625503afd8ab1a8ca0d65a197 fedora/1/updates/i386/php-devel-4.3.11-1.fc1.1.legacy.i386.rpm 72d65111cbaf7fb56ed879ee4278602e84868540 fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.1.legacy.i386.rpm fe8216746096b3a6070d43659944c158df23d1a9 fedora/1/updates/i386/php-imap-4.3.11-1.fc1.1.legacy.i386.rpm fb6f8fb5dd77f0dc5f58b85f26e25b5520366ca6 fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.1.legacy.i386.rpm d36a8ac545d151a20817a95d441d221c36edcb74 fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.1.legacy.i386.rpm f4d95a5cdb7fcbcdb1391a089a1ca65edf8e0e03 fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.1.legacy.i386.rpm a2a0944dfd1362ad186ab8b345d7e7ab32911a7a fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.1.legacy.i386.rpm 4d4546fecefc879004ebbfc596cd109f4d144ba7 fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.1.legacy.i386.rpm 5d968e87611c5dce727a492f149b3583e1588e30 fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.1.legacy.i386.rpm 22a069541240a9ab4f9fe62887cd7ea45d961238 fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.1.legacy.i386.rpm 08203f404d05ab58128b8b12c8b5a8e5ac53b34e fedora/1/updates/SRPMS/php-4.3.11-1.fc1.1.legacy.src.rpm b9f6accb0cdf84270147e80ec27e262936f5d125 fedora/2/updates/i386/php-4.3.11-1.fc2.2.legacy.i386.rpm e4cedd230b3727daaa064222e5402a18a89b4aca fedora/2/updates/i386/php-devel-4.3.11-1.fc2.2.legacy.i386.rpm fdab268ba8d6eb59309f324a929fae08e1bb12b1 fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.2.legacy.i386.rpm 960e1a97b673978778415aa2f2fcbf9a700b83da fedora/2/updates/i386/php-imap-4.3.11-1.fc2.2.legacy.i386.rpm e6a04924bbd016fdb470a8448beda47ee2b75e77 fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.2.legacy.i386.rpm 019161cfaaa180f0fcb98a4d48a296d99ecca5b3 fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.2.legacy.i386.rpm 9252cfa6c6485a0b803e9483e1f43eb2624b1826 fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.2.legacy.i386.rpm 48c8743b590cc176cc3497f2c9225e402ec03b67 fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.2.legacy.i386.rpm 814fcfe1d33f6eea65b5bcd88ba6e54e2da3062a fedora/2/updates/i386/php-pear-4.3.11-1.fc2.2.legacy.i386.rpm d20c34df03bf67028f9ded420310b75a66c1db1d fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.2.legacy.i386.rpm d84ff3766026e802f9a815b8c599c19bfbeaaefa fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.2.legacy.i386.rpm 7792c85444679beab3a0bdc56e2d4666dcb9c963 fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.2.legacy.i386.rpm 0772ba5bc711edf55fcfe34b368881cc5ec09ed0 fedora/2/updates/SRPMS/php-4.3.11-1.fc2.2.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0524 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0525 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1042 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1043 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature