dcsimg
Linux Today: Linux News On Internet Time.





More on LinuxToday


SUSE Linux Advisory: php4/mod_php4

Jul 18, 2004, 03:55 (0 Talkback[s])

SUSE Security Announcement

Package: php4/mod_php4
Announcement-ID: SUSE-SA:2004:021
Date: Friday, Jul 16th 2004 13:00:00 MEST
Affected products: 8.0, 8.1, 8.2, 9.0, 9.1, SuSE Linux Enterprise Server 8, SuSE Linux Office Server, UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE default package: No.
Cross References: CAN-2004-0594 CAN-2004-0595 http://security.e-matters.de/advisories/112004.html

Content of this advisory:

  1. security vulnerability resolved: memory_limit problem, strip_tags() bypassing problem problem description, discussion, solution and upgrade information
  2. pending vulnerabilities, solutions, workarounds:
    • sitecopy
    • cadaver
    • freeswan
    • ipsec-tools
    • apache2
    • dhcp/dhcp-server
  3. standard appendix (further information)

1) problem description, brief discussion, solution, upgrade information

PHP is a well known, widely-used scripting language often used within web server setups.
Stefan Esser found a problem with the "memory_limit" handling of PHP which allows remote attackers to execute arbitrary code as the user running the PHP interpreter. This problem has been fixed. Additionally a problem within the "strip_tags" function has been found and fixed which allowed remote attackers to inject arbitrary tags into certain web browsers, issuing XSS related attacks. Since there is no easy workaround except disabling PHP, we recommend an update for users running the PHP interpreter within the apache web server.

To be sure the update takes effect you have to restart the apache process by executing the following command as root:

/usr/sbin/rcapache restart

or if you use the apache2 package

/usr/sbin/rcapache2 restart

Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update.
Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.

x86 Platform:

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.11.i586.rpm efdc7667b7f5d9ee3ef4af428ec7d9ec
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.11.i586.rpm 8cb2d1a863694ced982bfd7a38481c0a
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.11.i586.rpm 7e7435b1ba7bbb4412478360ef5c9572
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.11.i586.rpm 342aeccff4de94fa41e591dc28b4995e
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.11.i586.rpm e3d5f8e5612bee3b6ba008404f90fb55
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.11.i586.rpm 4f2520897321dcc99c3ba5adb9153ff6
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.11.i586.patch.rpm dad5281b43fe630aa3db43580afaf76a
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.11.i586.patch.rpm 41c7f677bb593066322f1790766039fd
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.11.i586.patch.rpm 93c1ed2eec77c6e56d3adffa1491dd82
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.11.i586.patch.rpm 7d428eaf1463cac357c0cdcaca9d50d2
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.11.i586.patch.rpm 072871a11fac7bff0f9c5598248fd2ba
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.11.i586.patch.rpm f53d6ff178db5b81d43dfb2a36cf391f
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/php4-4.3.4-43.11.src.rpm f83b6501a1f8630e24be36921b5fce49

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-177.i586.rpm e50812ce7fb1fb3113d3cae78a85ad5e
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-177.i586.rpm cdd59314c94b883d2bd5a537b3f43b7b
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3-177.i586.rpm bda2735824a4ee3cd4cfe9372751939c
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-177.i586.patch.rpm c3dba68761eefe25a772598cf018fb7e
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-177.i586.patch.rpm 62e775ec9ffea0d6d2f85e225ed63b38
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3-177.i586.patch.rpm e2513d45b0b22731a05dfde7e3b0448c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/mod_php4-4.3.3-177.src.rpm fc2b7442cc450384b2b856831d267385

SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-4.3.1-169.i586.rpm 8be50387c34e6248318ed53e36e2512f
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-core-4.3.1-169.i586.rpm a3c14b203e93bf64a68e8430a3fb4d86
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-4.3.1-169.i586.patch.rpm 5a8fe03a1a64f41b959562702b1a8f83
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-core-4.3.1-169.i586.patch.rpm 21e0eea787c4da34e03f329bc568ab6d
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mod_php4-4.3.1-169.src.rpm 8e3e2270a3efe3f315099d265f8324de

SUSE Linux 8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-4.2.2-479.i586.rpm 0ec06130362ed94e55e6bb79a2844a37
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-core-4.2.2-479.i586.rpm a4d2a49e1f137155578f3f2bde1b5fa2
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-servlet-4.2.2-479.i586.rpm 9142fa285d3710e35c4a3d135b455535
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-4.2.2-479.i586.patch.rpm 1f868989e0920f6aabc665e75c4260f6
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-core-4.2.2-479.i586.patch.rpm 2b091542a122162c83b23fb2f13331ff
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-servlet-4.2.2-479.i586.patch.rpm d3f9ef5b71017c34e3d17ee1a628b43c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/mod_php4-4.2.2-479.src.rpm 08bc2803338c266c725191c3e0eeba97

SUSE Linux 8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-4.1.0-317.i386.rpm fdcc67031dd330a79993fe65d7764321
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-core-4.1.0-317.i386.rpm 73376bc40edef9df878de4bd62eedfa5
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/mod_php4-servlet-4.1.0-317.i386.rpm 7e33a1da4f9a5500cfe6abee51db3ee3
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-4.1.0-317.i386.patch.rpm 5fca682f3c7f409cac2a059ec7e1bfdb
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-core-4.1.0-317.i386.patch.rpm 030d6c2af596bd6afb9c7aea694450bb
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/mod_php4-servlet-4.1.0-317.i386.patch.rpm caf932e5dfb4951758f41098b80c1ff5
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/mod_php4-4.1.0-317.src.rpm 126bed26b2d74293a00ecb2699efcd8a

x86-64 Platform:

SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.11.x86_64.rpm 90daa6052475e07b8f76f58a86aa6315
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4-43.11.x86_64.rpm 7abfa94cdc7870d68e938a5c8c995be2
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43.11.x86_64.rpm 6a1c8f7b8a3f866e31ed8d5b601975e7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-43.11.x86_64.rpm 5fa4df5b6f620132cc878f5a48511af7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4-43.11.x86_64.rpm 151365c7b03323c0b5b68803d94a3b62
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43.11.x86_64.rpm 63a73e34fcb6d6ea0deb1edfb6c0b23b
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.11.x86_64.patch.rpm 497481846ba5a990cb28edc69b5a4222
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4-43.11.x86_64.patch.rpm 8bc486a4a22ba827213c8a199b33e40c
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43.11.x86_64.patch.rpm fbdea242ea256a6178168ac4d3513d9b
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-43.11.x86_64.patch.rpm 5d082d666c53aa76e443878322a5ef9a
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4-43.11.x86_64.patch.rpm 6775fc0b073ec7cf20ce7a7b18113846
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43.11.x86_64.patch.rpm ada500d6680eaabd6660abd490e90936
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/php4-4.3.4-43.11.src.rpm edb55d94ded7ecf53c8eecf1f4295a4c

SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-177.x86_64.rpm 9ed20898e90b820937476df2f03fb7d5
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.3-177.x86_64.rpm dbdb9c40d98990cfb388e208e41db175
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4.3.3-177.x86_64.rpm 16540dcb5bb480448cd0afd8d494f40d
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-177.x86_64.patch.rpm 465038b0c123f5d3240672c11bdc996a
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.3-177.x86_64.patch.rpm efe5ff6682739a555bf608edc3f7ed92
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4.3.3-177.x86_64.patch.rpm c7a6e0b12f6064c5ac2590e631325421
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/mod_php4-4.3.3-177.src.rpm 1ce2db40eea8d9b5e43129bc6d66df95


2) Pending vulnerabilities in SUSE Distributions and Workarounds:

  • sitecopy
    The sitecopy package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). New packages are available on our ftp servers.
  • cadaver
    The cadaver package includes a vulnerable version of the neon library (CAN-2004-0179, CAN-2004-0398). New packages will soon be available on our ftp servers.
  • freeswan
    A bug in the certificate chain authentication code could allow an attacker to authenticate any host against a FreeS/WAN server by presenting specially crafted certificates wrapped in a PKCS#7 file. New packages are available on our ftp servers.
  • ipsec-tools
    The racoon daemon which is responsible for handling IKE messages fails to reject invalid or self-signed X.509 certificates which allows for man-in-the-middle attacks on IPsec tunnels established via racoon. New packages are available on our ftp servers.
  • apache2
    A remote Denial of Service condition (CAN-2004-0493) has been fixed in Apache2. New packages are available on our ftp servers.
  • dhcp/dhcp-server
    A remotely exploitable buffer overflow has been fixed in the dhcp and dhcp-server packages. CERT has assigned VU#654390 to this issue. New packages are available on our ftp servers.

3) standard appendix: authenticity verification, additional information

  • Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package:

    1. md5sums as provided in the (cryptographically signed) announcement.
    2. using the internal gpg signatures of the rpm package.
    3. execute the command
      md5sum <name-of-the-file.rpm>
      after you downloaded the file from a SUSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software.
      Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
    4. rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command
      rpm -v --checksig <file.rpm>
      to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites:
      1. gpg is installed
      2. The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SUSE in rpm packages for SUSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root):
        gpg --batch; gpg < announcement.txt | gpg --import
        SUSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
  • SUSE runs two security mailing lists to which any interested party may subscribe:

    suse-security@suse.com

  • general/linux/SUSE security discussion.
    All SUSE security announcements are sent to this list. To subscribe, send an email to

    <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com

  • SUSE's announce-only mailing list.
    Only SUSE's security announcements are sent to this list. To subscribe, send an email to

    <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq) send mail to:

    <suse-security-info@suse.com> or
    <suse-security-faq@suse.com> respectively.


SUSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below.

The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>