Yellow Dog Linux Security Advisory: YDU-20030710-2
Terra Soft Security Team
yellowdog-updates@lists.terrasoftsolutions.com
Fri, 11 Jul 2003 14:38:21 -0600
Yellow Dog Linux Security Announcement
--------------------------------------
Package: php
Issue Date: Jul 10,2003
Priority: medium
Advisory ID: YDU-20030710-2
1. Topic:
Updated php packages are available.
2. Problem:
"PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP server.
This update contains fixes for a number of bugs that include the use of
a PHP script as an ErrorDocument and possible POST body corruption in some
configurations.
Also included is a fix for a minor security problem. In PHP version 4.3.1
and earlier, when transparent session ID support is enabled using the
"session.use_trans_sid" option, the session ID is not escaped before use.
This allows a Cross Site Scripting attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0442 to
this issue.
All users of PHP are advised to upgrade to these erratum packages, which
contain back-ported patches to correct these issues."
From Red Hat Advisory
3. Solution:
a) Updating via yum...
We suggest that you use the yum program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
yum update php
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/
ppc/php-ldap-4.2.2-17.2.ppc.rpm
ppc/php-imap-4.2.2-17.2.ppc.rpm
ppc/php-devel-4.2.2-17.2.ppc.rpm
ppc/php-4.2.2-17.2.ppc.rpm
ppc/php-snmp-4.2.2-17.2.ppc.rpm
ppc/php-pgsql-4.2.2-17.2.ppc.rpm
ppc/php-odbc-4.2.2-17.2.ppc.rpm
ppc/php-mysql-4.2.2-17.2.ppc.rpm
ppc/php-manual-4.2.2-17.2.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
e1f7e637f3af099274fe0b308ad4bfb4 SRPMS/php-4.2.2-17.2.src.rpm
ff542cf922f52d77dce780204391994f ppc/php-ldap-4.2.2-17.2.ppc.rpm
830a49c10596d6b1c25d178ea7333a11 ppc/php-imap-4.2.2-17.2.ppc.rpm
fea908ee0d1b2837b6e94bcf9b5287bf ppc/php-devel-4.2.2-17.2.ppc.rpm
1bb2a1d60dad727edbca5f3a45b8210c ppc/php-4.2.2-17.2.ppc.rpm
327ad818fb9d2ea7f23c5bfd87cedfce ppc/php-snmp-4.2.2-17.2.ppc.rpm
749ff5d07cd60d2e53ad28bf9a3b881f ppc/php-pgsql-4.2.2-17.2.ppc.rpm
67669cd41d2ff5a33898b03847bfcd58 ppc/php-odbc-4.2.2-17.2.ppc.rpm
10378ac22a3d5c23a08780a6df4c895b ppc/php-mysql-4.2.2-17.2.ppc.rpm
fa8569028c11bace1a88ff54176ce9e5 ppc/php-manual-4.2.2-17.2.ppc.rpm
If you wish to verify that each package has not been corrupted or
tampered with,
examine the md5sum with the following command: md5sum <filename>
5. Misc.
Terra Soft has setup a moderated mailing list where these security,
bugfix, and package
enhancement announcements will be posted. See
http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of yum, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/yum.shtml