--------------------------------------------------------------------- Fedora Legacy Update Advisory Synopsis: Updated php packages fix security issues Advisory ID: FLSA:163559 Issue date: 2005-07-28 Product: Fedora Core Keywords: Bugfix CVE Names: CAN-2005-1751 CAN-2005-1921 --------------------------------------------------------------------- --------------------------------------------------------------------- 1. Topic: Updated PHP packages that fix two security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. 2. Relevant releases/architectures: Fedora Core 1 - i386 Fedora Core 2 - i386 3. Problem description: A bug was discovered in the PEAR XML-RPC Server package included in PHP. If a PHP script is used which implements an XML-RPC Server using the PEAR XML-RPC package, then it is possible for a remote attacker to construct an XML-RPC request which can cause PHP to execute arbitrary PHP commands as the 'apache' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1921 to this issue. A race condition in temporary file handling was discovered in the shtool script installed by PHP. If a third-party PHP module which uses shtool was compiled as root, a local user may be able to modify arbitrary files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-1751 to this issue. Users of PHP should upgrade to these updated packages, which contain backported fixes for these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www.fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163559 6. RPMs required: Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/php-4.3.11-1.fc1.2.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/php-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm Fedora Core 2: SRPM: http://download.fedoralegacy.org/fedora/2/updates/SRPMS/php-4.3.11-1.fc2.3.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/2/updates/i386/php-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm http://download.fedoralegacy.org/fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm 7. Verification: SHA1 sum Package Name --------------------------------------------------------------------- 171656872d0f5824fcb30fcef4309d7fa012d9c5 fedora/1/updates/i386/php-4.3.11-1.fc1.2.legacy.i386.rpm 04f3e47079d7a5240806b4fb26a5d5f1786e838e fedora/1/updates/i386/php-devel-4.3.11-1.fc1.2.legacy.i386.rpm b53f067e610d6f312403a30c8ba702d377bad46a fedora/1/updates/i386/php-domxml-4.3.11-1.fc1.2.legacy.i386.rpm 45a976dde09647657d1db340598ca25403f3875c fedora/1/updates/i386/php-imap-4.3.11-1.fc1.2.legacy.i386.rpm cabf9c604343977f0ff2db609e8ed9a85828dce1 fedora/1/updates/i386/php-ldap-4.3.11-1.fc1.2.legacy.i386.rpm 0c31e1138c74bd508c298b547372a7cdf621e8ec fedora/1/updates/i386/php-mbstring-4.3.11-1.fc1.2.legacy.i386.rpm 17f9d2c41ae2762eb9d6f4910cfd86f992b96871 fedora/1/updates/i386/php-mysql-4.3.11-1.fc1.2.legacy.i386.rpm 2452bc637bf072d2906e9267a86fae65de4b580e fedora/1/updates/i386/php-odbc-4.3.11-1.fc1.2.legacy.i386.rpm 483e46c97dce391ec770b7095ce26eb929179b3a fedora/1/updates/i386/php-pgsql-4.3.11-1.fc1.2.legacy.i386.rpm f30e91737a2003f853ef783464a735718a3396bf fedora/1/updates/i386/php-snmp-4.3.11-1.fc1.2.legacy.i386.rpm e36b3e123516ad54651eb32cfd91af219769f19a fedora/1/updates/i386/php-xmlrpc-4.3.11-1.fc1.2.legacy.i386.rpm 56e68f7e47d59ba10dfef0f6b34ac203b88e80ae fedora/1/updates/SRPMS/php-4.3.11-1.fc1.2.legacy.src.rpm cf09a945e599887705e6b3cd0ff31bd6ae5c016c fedora/2/updates/i386/php-4.3.11-1.fc2.3.legacy.i386.rpm 42d388c0b0245b68809e9d26f38ba45c42065d7c fedora/2/updates/i386/php-devel-4.3.11-1.fc2.3.legacy.i386.rpm 9a8c40612bc6ae96b8aace4763b3302bfe88f4ac fedora/2/updates/i386/php-domxml-4.3.11-1.fc2.3.legacy.i386.rpm 0bf81586c0794af8baba6dc407df1894ce5143a5 fedora/2/updates/i386/php-imap-4.3.11-1.fc2.3.legacy.i386.rpm acf5d4c20689f1de12ca3c00758fd7b9fb10be45 fedora/2/updates/i386/php-ldap-4.3.11-1.fc2.3.legacy.i386.rpm 28698222a4268b9748e2ec22418f030ce8ad68d4 fedora/2/updates/i386/php-mbstring-4.3.11-1.fc2.3.legacy.i386.rpm fd9a5a444b8170277bbb94edf2c5cbb2d0b0a0e1 fedora/2/updates/i386/php-mysql-4.3.11-1.fc2.3.legacy.i386.rpm fcdb53ff36392e98eb8695e3a3a6d7aef382ad18 fedora/2/updates/i386/php-odbc-4.3.11-1.fc2.3.legacy.i386.rpm 778c9b93507a5977ab00f479d6a55ef62e360f0b fedora/2/updates/i386/php-pear-4.3.11-1.fc2.3.legacy.i386.rpm 29cf0cad08a2735ac26226a2012b8b91f63ca7ba fedora/2/updates/i386/php-pgsql-4.3.11-1.fc2.3.legacy.i386.rpm 81fca59193d5d2ee72f6960ee8887f82c036f02d fedora/2/updates/i386/php-snmp-4.3.11-1.fc2.3.legacy.i386.rpm ef0ab724d7228333d416effbc5f1da250db68fe8 fedora/2/updates/i386/php-xmlrpc-4.3.11-1.fc2.3.legacy.i386.rpm 761cd56c659e8c8fa83cdde3a695a1113bf8c2b5 fedora/2/updates/SRPMS/php-4.3.11-1.fc2.3.legacy.src.rpm These packages are GPG signed by Fedora Legacy for security. Our key is available from http://www.fedoralegacy.org/about/security.php You can verify each package with the following command: rpm --checksig -v <filename> If you only wish to verify that each package has not been corrupted or tampered with, examine only the sha1sum with the following command: sha1sum <filename> 8. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921 9. Contact: The Fedora Legacy security contact is <secnotice@xxxxxxxxxxxxxxxx>. More project details at http://www.fedoralegacy.org ---------------------------------------------------------------------
Attachment:
signature.asc
Description: OpenPGP digital signature