Advisories, July 31, 2006

Gentoo Linux

http://security.gentoo.org/

Severity: High
Title: PHP: Multiple vulnerabilities
Date: May 08, 2006
Updated: July 24, 2006
Bugs: #127939, #128883, #131135, #133524
ID: 200605-08:02

Update

The initial fix did not properly fix the CVE-2006-1990 issue on 64 bit systems.

The updated sections appear below.

Affected packages

     Package       /  Vulnerable  /                         Unaffected

  1  dev-lang/php       < 5.1.4                               >= 5.1.4
                                                          *>= 4.4.2-r2
  2  dev-lang/php     < 5.1.4-r4                           >= 5.1.4-r4
                                                          *>= 4.4.2-r6
    -------------------------------------------------------------------
     # Package 1 only applies to ARM, HPPA, PPC, S390, SH, SPARC, x86
       and x86-FBSD users.
     # Package 2 only applies to ALPHA, AMD64, IA64 and PPC64 users.
    -------------------------------------------------------------------
     2 affected packages; please see the notes above...

Resolution

All PHP users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose dev-lang/php

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200605-08.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5

Slackware Linux

[slackware-security] mysql (SSA:2006-211-01)

New mysql packages are available for Slackware 10.2 to fix security issues (and other bugs). For complete details about the many fixes addressed by this release, you can find MySQL's news article about the MySQL 4.1.21 Community Edition release here:

http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html

More details about this issue may be found in the Common Vulnerabilities and Exposures (CVE) database:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469

Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/mysql-4.1.21-i486-1_slack10.2.tgz:
Upgraded to mysql-4.1.21.
This is a bugfix and security release.
For more details, see MySQL's news page about MySQL 4.1.21:
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html
The CVE entry may be found here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469
Thanks to Nino Petkov for pointing out this MySQL release to me. :-)
(* Security fix *)
+--------------------------+

Where to find the new packages:

HINT: Getting slow download speeds from ftp ftp.slackware.com? Give slackware.osuosl.org/ a try. This is another primary FTP site for Slackware that can be considerably faster than downloading from ftp.slackware.com/.

Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating additional FTP and rsync hosting to the Slackware project! :-)

Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you.

Updated package for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/mysql-4.1.21-i486-1_slack10.2.tgz

MD5 signatures:

Slackware 10.2 package:
36f6f7f158bf00953e5a0bd29737bc7c mysql-4.1.21-i486-1_slack10.2.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg mysql-4.1.21-i486-1_slack10.2.tgz

Then, restart the database server:
# sh /etc/rc.d/rc.mysqld restart

+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com