OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Thomas Lotterer Root: /e/openpkg/cvs Email: [EMAIL PROTECTED] Module: openpkg-web Date: 22-Jan-2003 14:01:33 Branch: HEAD Handle: 2003012213013101 Added files: openpkg-web/security OpenPKG-SA-2003.005-php.txt Modified files: openpkg-web security.txt security.wml Log: SA-2003.005-php; CAN-2002-1396 Summary: Revision Changes Path 1.13 +1 -0 openpkg-web/security.txt 1.29 +1 -0 openpkg-web/security.wml 1.1 +86 -0 openpkg-web/security/OpenPKG-SA-2003.005-php.txt ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-web/security.txt ============================================================================ $ cvs diff -u -r1.12 -r1.13 security.txt --- openpkg-web/security.txt 21 Jan 2003 13:49:01 -0000 1.12 +++ openpkg-web/security.txt 22 Jan 2003 13:01:31 -0000 1.13 @@ -1,3 +1,4 @@ +22-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.005-php> 21-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.004-cvs> 21-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.003-vim> 16-Jan-2003: Security Advisory: S<OpenPKG-SA-2003.002-dhcpd> @@ . patch -p0 <<'@@ .' Index: openpkg-web/security.wml ============================================================================ $ cvs diff -u -r1.28 -r1.29 security.wml --- openpkg-web/security.wml 21 Jan 2003 13:49:01 -0000 1.28 +++ openpkg-web/security.wml 22 Jan 2003 13:01:31 -0000 1.29 @@ -70,6 +70,7 @@ <a href="security/OpenPKG-SA-%0-%1.txt">TXT</a>)<br> </define-tag> <box bdspace=10 bgcolor="#e5e0d5"> + <sa 2003.005 php> <sa 2003.004 cvs> <sa 2003.003 vim> <sa 2003.002 dhcpd> @@ . patch -p0 <<'@@ .' Index: openpkg-web/security/OpenPKG-SA-2003.005-php.txt ============================================================================ $ cvs diff -u -r0 -r1.1 OpenPKG-SA-2003.005-php.txt --- /dev/null 2003-01-22 14:01:33.000000000 +0100 +++ OpenPKG-SA-2003.005-php.txt 2003-01-22 14:01:33.000000000 +0100 @@ -0,0 +1,86 @@ +________________________________________________________________________ + +OpenPKG Security Advisory The OpenPKG Project +http://www.openpkg.org/security.html http://www.openpkg.org [EMAIL PROTECTED] [EMAIL PROTECTED] +OpenPKG-SA-2003.005 22-Jan-2003 +________________________________________________________________________ + +Package: php +Vulnerability: buffer overflow in "wordwrap" function +OpenPKG Specific: no + +Affected Releases: Affected Packages: Corrected Packages: +OpenPKG CURRENT <= php-4.2.3-20020907 >= php-4.3.0-20021228 +OpenPKG 1.2 none >= php-4.3.0-1.2.0 +OpenPKG 1.1 <= php-4.2.2-1.1.0 >= php-4.2.2-1.1.1 +OpenPKG 1.0 none >= php-4.0.6-1.0.1 + +Affected Releases: Dependent Packages: +OpenPKG CURRENT <= apache-1.3.27-20021129 >= apache-1.3.27-20021228 +OpenPKG 1.2 none >= apache-1.3.27-1.2.0 +OpenPKG 1.1 <= apache-1.3.26-1.1.2 >= apache-1.3.26-1.1.3 +OpenPKG 1.0 none >= apache-1.3.22-1.0.6 + +Description: + According to a bug report [0] from David F. Skoll + <[EMAIL PROTECTED]> a buffer overflow problem exists in the + "wordwrap" function of Personal HomePage (PHP) [1], a an HTML-embedded + scripting language. Thanks to David's input and help the source of the + problem was tracked down and corrected. The Common Vulnerabilities and + Exposures (CVE) project assigned the id CAN-2002-1396 [2] to the + problem. + + Please check whether you are affected by running "<prefix>/bin/rpm -q + php". If you have the "php" package installed and its version is + affected (see above), we recommend that you immediately upgrade it + (see Solution). [3][4] + + Also run "<prefix>/bin/rpm -qi apache". If you have the "apache" + package installed having the "with_mod_php" option set to "yes" and + its version is affected (see above), we recommend that you immediately + upgrade it (see Solution). [3][4] + +Solution: + Select the updated source RPM appropriate for your OpenPKG release + [5], fetch it from the OpenPKG FTP service [6] or a mirror + location, verify its integrity [7], build a corresponding binary RPM + from it [3] and update your OpenPKG installation by applying the binary + RPM [4]. For the release OpenPKG 1.1, perform the following + operations to permanently fix the security problem (for other releases + adjust accordingly). + + $ ftp ftp.openpkg.org + ftp> bin + ftp> cd release/1.1/UPD + ftp> get php-4.2.2-1.1.1.src.rpm + ftp> bye + $ <prefix>/bin/rpm -v --checksig php-4.2.2-1.1.1.src.rpm + $ <prefix>/bin/rpm --rebuild php-4.2.2-1.1.1.src.rpm + $ su - + # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/php-4.2.2-1.1.1.*.rpm + + Additionally, we recommend that you rebuild and reinstall + all dependent packages (see above), if any, too. [3][4] +________________________________________________________________________ + +References: + [0] http://bugs.php.net/bug.php?id=20927 + [1] http://www.php.net/ + [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396 + [3] http://www.openpkg.org/tutorial.html#regular-source + [4] http://www.openpkg.org/tutorial.html#regular-binary + [5] ftp://ftp.openpkg.org/release/1.1/UPD/php-4.2.2-1.1.1.src.rpm + [6] ftp://ftp.openpkg.org/release/1.1/UPD/ + [7] http://www.openpkg.org/security.html#signature +________________________________________________________________________ + +For security reasons, this advisory was digitally signed with +the OpenPGP public key "OpenPKG <[EMAIL PROTECTED]>" (ID 63C4CB9F) +of the OpenPKG project which you can find under the official URL +http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To +check the integrity of this advisory, verify its digital signature by +using GnuPG (http://www.gnupg.org/). For instance, pipe this message to +the command "gpg --verify --keyserver keyserver.pgp.com". +________________________________________________________________________ + @@ . ______________________________________________________________________ The OpenPKG Project www.openpkg.org CVS Repository Commit List [EMAIL PROTECTED]