Fedora Legacy Test Update Notification: php

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Feb 17 22:14:09 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-2344
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2344
2005-02-17
---------------------------------------------------------------------

Name        : php
Versions    : rh7.3: php-4.1.2-7.3.13.legacy
Versions    : rh9: php-4.2.2-17.9.legacy
Versions    : fc1: php-4.3.8-1.4.legacy
Summary     : The PHP HTML-embedded scripting language.
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated webpages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts. The
mod_php module enables the Apache Web server to understand and process
the embedded PHP language in Web pages.

---------------------------------------------------------------------
Update Information:

Updated php packages that fix various security issues are now available.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

An information disclosure bug was discovered in the parsing of "GPC"
variables in PHP (query strings or cookies, and POST form data). If
particular scripts used the values of the GPC variables, portions of the
memory space of an httpd child process could be revealed to the client.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0958 to this issue.

A file access bug was discovered in the parsing of "multipart/form-data"
forms, used by PHP scripts which allow file uploads. In particular
configurations, some scripts could allow a malicious client to upload
files to an arbitrary directory where the "apache" user has write
access. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0959 to this issue.

Flaws were found in shmop_write, pack, and unpack PHP functions. These
functions are not normally passed user supplied data, so would require a
malicious PHP script to be exploited. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-1018 to
this issue.

Flaws including possible information disclosure, double free, and
negative reference index array underflow were found in the
deserialization code of PHP. PHP applications may use the unserialize
function on untrusted user data, which could allow a remote attacker to
gain access to memory or potentially execute arbitrary code. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-1019 to this issue.

A flaw in the exif extension of PHP was found which lead to a stack
overflow. An attacker could create a carefully crafted image file in
such a way that if parsed by a PHP script using the exif extension it
could cause a crash or potentially execute arbitrary code. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-1065 to this issue.

Users of PHP should upgrade to these updated packages, which contain
fixes for these issues.

---------------------------------------------------------------------
7.3 changelog:
* Mon Jan 31 2005 John Dalbec <jpdalbec at ysu.edu> 4.1.2-7.3.13.legacy
- Fix typo in OpenPKG backport patch (filename -> filenamebuf)
- * Sun Jan 23 2005 Leonard den Ottolander <leonard * den ottolander nl> 
4.1.2-7.3.11.legacy
   - fix possible double-free in unserializer (CAN-2004-1019)
   - fix integer overflows in pack() (CAN-2004-1018, requires
     malicious script to exploit)
- Remove redundant CAN-2004-1018 sections from OpenPKG backport patch

* Wed Jan 05 2005 Pekka Savola <pekkas at netcore.fi> 4.1.2-6.3.12.legacy
- Use a more complete patch, some parts had been left off
   by accident.

* Mon Jan 03 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
4.1.2-7.3.11.legacy
- Added OpenPKG patch backport for CAN-2004-1018, CAN-2004-1019, 
CAN-2004-1063,
   CAN-2004-1064 and CAN-2004-1065

9 changelog:
* Wed Dec 22 2004 Pekka Savola <pekkas at netcore.fi> 4.2.2-17.9.legacy
- Replace the previous patches with a complete OpenPKG backport, fixing the
issues (and more of them) more extensively.

* Tue Dec 21 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
4.2.2-17.8.legacy
- Added security patches for CAN-2004-1019 and CAN-2004-1065

fc1 changelog:
* Fri Feb 11 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
4.3.8-1.4.legacy
- Added missing sendmail, w3c-libwww-devel and flex BuildRequires

* Mon Jan 03 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
4.3.8-1.3.legacy
- Added patches for CAN-2004-0958 and CAN-2004-0959

* Tue Dec 21 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
4.3.8-1.2.legacy
- Added OpenPKG patch for CAN-2004-1018, CAN-2004-1019, CAN-2004-1063,
   CAN-2004-1064 and CAN-2004-1065

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedoralegacy.org/
(sha1sums)

20ceb86ce6bfee68e7f6dc7e8512aa394a01a3ff 
redhat/7.3/updates-testing/i386/php-4.1.2-7.3.13.legacy.i386.rpm
5f4698e0e7f357b576b3be41c517ee6a271b67ef 
redhat/7.3/updates-testing/i386/php-devel-4.1.2-7.3.13.legacy.i386.rpm
3229575f1627cd90fd0e83ef1f59651734d7f896 
redhat/7.3/updates-testing/i386/php-imap-4.1.2-7.3.13.legacy.i386.rpm
18a92f6fae26997069ce137ac5da2faa028e3d07 
redhat/7.3/updates-testing/i386/php-ldap-4.1.2-7.3.13.legacy.i386.rpm
e7df41696b4a65769e8ffc61c64fd993421ded1e 
redhat/7.3/updates-testing/i386/php-manual-4.1.2-7.3.13.legacy.i386.rpm
394af4b551dc12e330623f8ea7ae81c26f19d1d6 
redhat/7.3/updates-testing/i386/php-mysql-4.1.2-7.3.13.legacy.i386.rpm
f18d793145a92bddcc8a9ad12889634cab1dd1a7 
redhat/7.3/updates-testing/i386/php-odbc-4.1.2-7.3.13.legacy.i386.rpm
65637930aae7002e74f173f137ad7ed5722cce71 
redhat/7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.13.legacy.i386.rpm
503acf37e5d2afa3eef1d9c1f4b2241316a9a4b0 
redhat/7.3/updates-testing/i386/php-snmp-4.1.2-7.3.13.legacy.i386.rpm
cfe645d3341619ce5d8b64fe4d6041c7dd8f63dc 
redhat/7.3/updates-testing/SRPMS/php-4.1.2-7.3.13.legacy.src.rpm
2404b6151ce2d48fb52099670d05c23697fa1dc5 
redhat/9/updates-testing/i386/php-4.2.2-17.9.legacy.i386.rpm
5ca9ec0eda28b7d40a6429ed67e70365fb718cef 
redhat/9/updates-testing/i386/php-devel-4.2.2-17.9.legacy.i386.rpm
c3d8bde9bc7eaa15f48918c4806f6078d72f2340 
redhat/9/updates-testing/i386/php-imap-4.2.2-17.9.legacy.i386.rpm
28ff3b0b003a939c4b2ff55e3eea913b353489d3 
redhat/9/updates-testing/i386/php-ldap-4.2.2-17.9.legacy.i386.rpm
5b8a789a09ed58ab09622a326949b375de105e61 
redhat/9/updates-testing/i386/php-manual-4.2.2-17.9.legacy.i386.rpm
53daa8f099545603c5fb1e99c16f26e579f9efcf 
redhat/9/updates-testing/i386/php-mysql-4.2.2-17.9.legacy.i386.rpm
00e9f225ad329b03f93eb53230987329dabce2ba 
redhat/9/updates-testing/i386/php-odbc-4.2.2-17.9.legacy.i386.rpm
d98539ee8c8ec0c74300a2ebca09faece95e880f 
redhat/9/updates-testing/i386/php-pgsql-4.2.2-17.9.legacy.i386.rpm
c1b98df3b0dae17b795790601e9f588a9ae40d87 
redhat/9/updates-testing/i386/php-snmp-4.2.2-17.9.legacy.i386.rpm
1ef77dcc2fa8670f61ef5ae8b6cbafeed8c984ee 
redhat/9/updates-testing/SRPMS/php-4.2.2-17.9.legacy.src.rpm
7952222f4a7741740e1b96596e88c294c4ca4a0b 
fedora/1/updates-testing/i386/php-4.3.8-1.4.legacy.i386.rpm
3c17207bda513e7113f5c3af7a9791c7c8b9f53b 
fedora/1/updates-testing/i386/php-devel-4.3.8-1.4.legacy.i386.rpm
a2ffa8a9252cb16b705974e07b5f5bfb08b2f18b 
fedora/1/updates-testing/i386/php-domxml-4.3.8-1.4.legacy.i386.rpm
f26692e01ee5ccfbbb99903ff591e3d502a1e8b7 
fedora/1/updates-testing/i386/php-imap-4.3.8-1.4.legacy.i386.rpm
c42c6276460a5cd78b67a808f9fbfb71f5183130 
fedora/1/updates-testing/i386/php-ldap-4.3.8-1.4.legacy.i386.rpm
14d898c1aa634bf0f4596ce06f3f8418b97247a1 
fedora/1/updates-testing/i386/php-mbstring-4.3.8-1.4.legacy.i386.rpm
dba959ecf3a65f3b92246d3d22f15346ad681eff 
fedora/1/updates-testing/i386/php-mysql-4.3.8-1.4.legacy.i386.rpm
7f45350d2c16cc6af08472e29f1cd321a090ec46 
fedora/1/updates-testing/i386/php-odbc-4.3.8-1.4.legacy.i386.rpm
0042f60f7b3aeb1b8599f2c7c17cbce77e2d0dce 
fedora/1/updates-testing/i386/php-pgsql-4.3.8-1.4.legacy.i386.rpm
dd8fc7d39d3f46d4c4467c1b4b3aa7ef9036ceca 
fedora/1/updates-testing/i386/php-snmp-4.3.8-1.4.legacy.i386.rpm
010e49a5ce6fe3ee33f399106c4bec93748bb7a7 
fedora/1/updates-testing/i386/php-xmlrpc-4.3.8-1.4.legacy.i386.rpm
6df5177a5599bc58e9117a7b0e3bfda9366cf13e 
fedora/1/updates-testing/SRPMS/php-4.3.8-1.4.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050217/bef76829/attachment.sig>

More information about the fedora-legacy-list mailing list