---

SOT Linux Advisory: php

[ Thanks to SOT Security
Team
for this link. ]

---------------------------------------------------------------------
                   SOT Linux Security Advisory

Subject:           Updated php package for SOT Linux 2002
Advisory ID:       SLSA-2002:21
Date:              Wednesday, October 2, 2002
Product:           SOT Linux 2002
---------------------------------------------------------------------

1. Problem description

The PHP Group has learned of a serious security vulnerability in
PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute
arbitrary code with the privileges of the web server.
This vulnerability may be exploited to compromise the web server
and, under certain conditions, to gain privileged access.

PHP contains code for intelligently parsing the headers of HTTP
POST requests. The code is used to differentiate between variables
and files sent by the user agent in a "multipart/ form-data"
request. This parser has insufficient input checking, leading to
the vulnerability.
The vulnerability is exploitable by anyone who can send HTTP POST
requests to an affected web server. Both local and remote users,
even from behind firewalls, may be able to gain privileged access.


2. Updated packages

SOT Linux 2002 Server:

i386:
ftp://ftp.sot.com/updates/2002/Server/i386/php-4.2.3-1.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/php-devel-4.2.3-1.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/php-imap-4.2.3-1.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/php-ldap-4.2.3-1.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/php-mysql-4.2.3-1.i386.rpm
ftp://ftp.sot.com/updates/2002/Server/i386/php-manual-4.2.3-1.i386.rpm

SRPMS:
ftp://ftp.sot.com/updates/2002/Server/SRPMS/php-4.2.3-1.src.rpm

3. Upgrading package

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Use up2date to automatically upgrade the fixed packages.

If you want to upgrade manually, download the updated package from
the SOT Linux FTP site (use the links above) or from one of our mirrors.
The list of mirrors can be obtained at www.sot.com/en/linux

Update the package with the following command:
rpm -Uvh 


4. Verification

All packages are PGP signed by SOT for security.

You can verify each package with the following command:
rpm --checksig 

If you wish to verify the integrity of the downloaded package, run
"md5sum " and compare the output with data given below.


Package Name                             MD5 sum
-------------------------------------------------------------------------
/Server/i386/php-4.2.3-1.i386.rpm        06920e88536f185382a8597519ec25da
/Server/i386/php-devel-4.2.3-1.i386.rpm  a6676fb1091623e016c338291c7cea40
/Server/i386/php-imap-4.2.3-1.i386.rpm   2f8c9129267e353652f4bdf58edc6879
/Server/i386/php-ldap-4.2.3-1.i386.rpm   2c755506e55f0590fbd48128dc4da280
/Server/i386/php-mysql-4.2.3-1.i386.rpm  5951fbb3596a1b130a0b1dd6dfeeae01
/Server/i386/php-manual-4.2.3-1.i386.rpm 2487b0fe46806b7ebaa1f71b0a85483b
/Server/SRPMS/php-4.2.3-1.src.rpm        cdf560c345f3dcdd61b048b2bffb921a


5. References

http://ee.php.net/release_4_2_2.php

Copyright(c) 2001, 2002 SOT

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis