OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 07-Jul-2003 16:26:31
Branch: HEAD Handle: 2003070715263100
Modified files:
openpkg-web/security OpenPKG-SA-2003.032-php.txt page.pl
Log:
finalize PHP SA
Summary:
Revision Changes Path
1.2 +37 -29 openpkg-web/security/OpenPKG-SA-2003.032-php.txt
1.18 +1 -1 openpkg-web/security/page.pl
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.032-php.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.032-php.txt
--- openpkg-web/security/OpenPKG-SA-2003.032-php.txt 7 Jul 2003 13:48:08 -0000
1.1
+++ openpkg-web/security/OpenPKG-SA-2003.032-php.txt 7 Jul 2003 14:26:31 -0000
1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -20,38 +23,39 @@
Dependent Packages: none
Description:
- Wojciech Purczynski found [2] out that it is possible to allow remote
- attackers to bypass safe mode restrictions in PHP [1] 4.x to 4.2.2 and
- modify command line arguments to the MTA (e.g. sendmail) in the 5th
- argument to mail(), altering MTA behavior and possibly executing
- commands. The Common Vulnerabilities and Exposures (CVE) project
- assigned the id CAN-2002-0985 [4] to the problem.
+ A security advisory [3] states that in PHP [1] version 4.3.1 (but
+ we at OpenPKG believe 4.2.x) and earlier, when transparent session
+ ID support is enabled using the "session.use_trans_sid" option,
+ the session ID is not escaped before use, which allows remote
+ attackers to insert arbitrary script via the PHPSESSID parameter. The
+ Common Vulnerabilities and Exposures (CVE) project assigned the id
+ CAN-2003-0442 [6] to this problem.
+
+ Additionally, Wojciech Purczynski some time ago found out [2] that
+ it is possible to allow remote attackers to by-pass "safe mode"
+ restrictions in PHP [1] 4.x to 4.2.2 and modify command line arguments
+ to the MTA (e.g. sendmail) in the 5th argument to mail(), altering MTA
+ behavior and possibly executing commands. The Common Vulnerabilities
+ and Exposures (CVE) project assigned the id CAN-2002-0985 [4] to this
+ problem.
- Wojciech Purczynski also reported [2] that the mail function in PHP
- [1] 4.x to 4.2.2 does not filter ASCII control characters from its
- arguments, which could allow remote attackers to modify mail message
- content, including mail headers, and possibly use PHP as a "spam
- proxy." Depending on how The Common Vulnerabilities and Exposures
- (CVE) project assigned the id CAN-2002-0986 [5] to the problem.
-
- A security advisory [3] states that in PHP [1] version 4.3.1 (but we
- at OpenPKG believe 4.2.x) and earlier, when transparent session ID
- support is enabled using the "session.use_trans_sid" option, the
- session ID is not escaped before use, which allows remote attackers to
- insert arbitrary script via the PHPSESSID parameter, The Common
- Vulnerabilities and Exposures (CVE) project assigned the id
- CAN-2003-0442 [6] to the problem.
+ Wojciech Purczynski also reported [2] that the mail function in
+ PHP [1] 4.x to 4.2.2 does not filter ASCII control characters from
+ its arguments, which could allow remote attackers to modify mail
+ message content, including mail headers, and possibly use PHP as a
+ "spam proxy." The Common Vulnerabilities and Exposures (CVE) project
+ assigned the id CAN-2002-0986 [5] to this problem.
Please check whether you are affected by running "<prefix>/bin/rpm
- -q php". If you have the "php" package installed and its version
- is affected (see above), we recommend that you immediately upgrade
- it (see Solution).
+ -q php". If you have the "php" package installed and its version is
+ affected (see above), we recommend that you immediately upgrade it
+ (see Solution).
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [9], fetch it from the OpenPKG FTP service [10] or a mirror
- location, verify its integrity [11], build a corresponding binary RPM
- from it [7] and update your OpenPKG installation by applying the binary
+ [9], fetch it from the OpenPKG FTP service [10] or a mirror location,
+ verify its integrity [11], build a corresponding binary RPM from
+ it [7] and update your OpenPKG installation by applying the binary
RPM [8]. For the current release OpenPKG 1.2, perform the following
operations to permanently fix the security problem (for other releases
adjust accordingly).
@@ -65,9 +69,6 @@
$ <prefix>/bin/rpm --rebuild php-4.2.2-1.1.2.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/php-4.2.2-1.1.2.*.rpm
-
- Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too. [7][8]
________________________________________________________________________
References:
@@ -91,3 +92,10 @@
for details on how to verify the integrity of this advisory.
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE/CYL2gHWT4GPEy58RAnF0AKDY5SbvJIffi3gXHt26g8BUA0AjHACgubJR
+VIB2rswM6mLBz8FN6ooXf0o=
+=Cp7d
+-----END PGP SIGNATURE-----
@@ .
patch -p0 <<'@@ .'
Index: openpkg-web/security/page.pl
============================================================================
$ cvs diff -u -r1.17 -r1.18 page.pl
--- openpkg-web/security/page.pl 11 Jun 2003 11:04:01 -0000 1.17
+++ openpkg-web/security/page.pl 7 Jul 2003 14:26:31 -0000 1.18
@@ -13,7 +13,7 @@
foreach my $sa (reverse sort @SA) {
my ($base, $name, $year) = ($sa =~ m|^(OpenPKG-SA-((\d+)\..+))\.txt$|);
next if ($name =~ m|^0000|);
- next if ($name =~ m|^2003\.03[2-9]|);
+ next if ($name =~ m|^2003\.03[3-9]|);
if ($this_year ne $year) {
$sidebar .= "<br>\n";
$this_year = $year;
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
