Yellow Dog Linux Security Advisory: YDU-20030710-2

Terra Soft Security Team yellowdog-updates@lists.terrasoftsolutions.com
Fri, 11 Jul 2003 14:38:21 -0600 

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	php
Issue Date:	Jul 10,2003
Priority:	medium
Advisory ID: 	YDU-20030710-2


1. 	Topic:

	Updated php packages are available.


2. 	Problem:

	"PHP is an HTML-embedded scripting language commonly used with the Apache
	HTTP server.

	This update contains fixes for a number of bugs that include the use of
	a PHP script as an ErrorDocument and possible POST body corruption in some
	configurations.

	Also included is a fix for a minor security problem. In PHP version 4.3.1
	and earlier, when transparent session ID support is enabled using the
	"session.use_trans_sid" option, the session ID is not escaped before use.
	This allows a Cross Site Scripting attack. The Common Vulnerabilities and
	Exposures project (cve.mitre.org) has assigned the name CAN-2003-0442 to
	this issue.

	All users of PHP are advised to upgrade to these erratum packages, which
	contain back-ported patches to correct these issues."
	
	From Red Hat Advisory

3. 	Solution:

    	a) Updating via yum...
	We suggest that you use the yum program to keep your
         system up-to-date. The following command(s) will retrieve
	and install the fixed version of this update onto your system:

		yum update php

	b) Updating manually...
	Download the updates below and then run the following rpm command.
    	(Please use a mirror site)

		rpm -Fvh [filenames]
		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
			ppc/php-ldap-4.2.2-17.2.ppc.rpm
			ppc/php-imap-4.2.2-17.2.ppc.rpm
			ppc/php-devel-4.2.2-17.2.ppc.rpm
			ppc/php-4.2.2-17.2.ppc.rpm
			ppc/php-snmp-4.2.2-17.2.ppc.rpm
			ppc/php-pgsql-4.2.2-17.2.ppc.rpm
			ppc/php-odbc-4.2.2-17.2.ppc.rpm
			ppc/php-mysql-4.2.2-17.2.ppc.rpm
			ppc/php-manual-4.2.2-17.2.ppc.rpm


4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
e1f7e637f3af099274fe0b308ad4bfb4  SRPMS/php-4.2.2-17.2.src.rpm
ff542cf922f52d77dce780204391994f  ppc/php-ldap-4.2.2-17.2.ppc.rpm
830a49c10596d6b1c25d178ea7333a11  ppc/php-imap-4.2.2-17.2.ppc.rpm
fea908ee0d1b2837b6e94bcf9b5287bf  ppc/php-devel-4.2.2-17.2.ppc.rpm
1bb2a1d60dad727edbca5f3a45b8210c  ppc/php-4.2.2-17.2.ppc.rpm
327ad818fb9d2ea7f23c5bfd87cedfce  ppc/php-snmp-4.2.2-17.2.ppc.rpm
749ff5d07cd60d2e53ad28bf9a3b881f  ppc/php-pgsql-4.2.2-17.2.ppc.rpm
67669cd41d2ff5a33898b03847bfcd58  ppc/php-odbc-4.2.2-17.2.ppc.rpm
10378ac22a3d5c23a08780a6df4c895b  ppc/php-mysql-4.2.2-17.2.ppc.rpm
fa8569028c11bace1a88ff54176ce9e5  ppc/php-manual-4.2.2-17.2.ppc.rpm

If you wish to verify that each package has not been corrupted or 
tampered with,
examine the md5sum with the following command: md5sum <filename>


5. Misc.

Terra Soft has setup a moderated mailing list where these security, 
bugfix, and package
enhancement announcements will be posted. See 
http://lists.terrasoftsolutions.com/ for more
information.

For information regarding the usage of yum, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml