Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDL-20020305-2
dburcaw@newhope.terraplex.com
Date: Tue Mar 05 2002 - 04:07:23 MST
Yellow Dog Linux Security Announcement
--------------------------------------
Package: php
Issue Date: March 05, 2002
Priority: high
Advisory ID: YDU-20020305-1
1. Topic:
The php packages have been updated to close
security flaws recently discovered.
2. Problem:
The version of PHP that shipped with YDL 2.0 and 2.1 contains two
broken boundary checks. This could allow an attacker to execute
arbitrary code on a remote system.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2002-0081 to this issue.
All users of PHP are advised to immediately upgrade to these errata
packages which close these vulnerabilities
The php update provided also requires the mm package which was
not shipped with YDL 2.1. mm is provided below and is necessary
to install this update.
3. Solution:
a) Updating via yup...
We suggest that you use the Yellow Dog Update Program (yup)
to keep your system up-to-date. The following command(s) will
automatically retrieve and install the fixed version of
this update onto your system:
yup update php
yup update php-devel
yup update php-imap
yup update php-ldap
yup update php-manual
yup update php-mysql
yup update php-pgsql
b) Updating manually...
The update can also be retrieved manually from our ftp site
below along with the rpm command that should be used to install
the update. (Please use a mirror site)
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/
rpm -Fvh php-4.0.6-9.7.0.ppc.rpm
rpm -Fvh php-devel-4.0.6-9.7.0.ppc.rpm
rpm -Fvh php-imap-4.0.6-9.7.0.ppc.rpm
rpm -Fvh php-ldap-4.0.6-9.7.0.ppc.rpm
rpm -Fvh php-manual-4.0.6-9.7.0.ppc.rpm
rpm -Fvh php-mysql-4.0.6-9.7.0.ppc.rpm
rpm -Fvh php-pgsql-4.0.6-9.7.0.ppc.rpm
rpm -ivh mm-1.1.3-2.ppc.rpm
rpm -ivh mm-devel-1.1.3-2.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
3edf230d80f7544c9fff6e82a700fb7d ppc/php-4.0.6-9.7.0.ppc.rpm
dabe0d86e8d6550c0a640d115f2a16d2 ppc/php-devel-4.0.6-9.7.0.ppc.rpm
aff9acd773738cb1bd57b143aafaf0ba ppc/php-imap-4.0.6-9.7.0.ppc.rpm
36795abba05aaee794f2f50459f5526f ppc/php-ldap-4.0.6-9.7.0.ppc.rpm
4908c7cb092dd4ac5e9c6a2c879fe076 ppc/php-manual-4.0.6-9.7.0.ppc.rpm
4a805710e67843493b9f77e172118de6 ppc/php-mysql-4.0.6-9.7.0.ppc.rpm
6b3edada1afc1e1dd26692a5f93149b3 ppc/php-pgsql-4.0.6-9.7.0.ppc.rpm
e79b5a8538a4a6e5785f02a094d0c47c ppc/mm-1.1.3-2.ppc.rpm
e990ef608686c6cfb36ca830a5566319 ppc/mm-devel-1.1.3-2.ppc.rpm
b933af9678d592f7a6981bb3d797cc81 SRPMS/php-4.0.6-9.7.0.src.rpm
4a20830e63c895dcbf429d31c99f116a SRPMS/mm-1.1.3-2.src.rpm
If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.
For information regarding the usage of yup, the Yellow Dog Update Program, see
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml
This archive was generated by hypermail 2a24 : Tue Mar 05 2002 - 13:56:47 MST