---

SUSE Linux Advisory: php4/mod_php4


SUSE Security Announcement

Package: php4/mod_php4
Announcement-ID: SUSE-SA:2004:021
Date: Friday, Jul 16th 2004 13:00:00 MEST
Affected products: 8.0, 8.1, 8.2, 9.0, 9.1, SuSE Linux Enterprise
Server 8, SuSE Linux Office Server, UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE default package: No.
Cross References: CAN-2004-0594 CAN-2004-0595 http://security.e-matters.de/advisories/112004.html

Content of this advisory:

  1. security vulnerability resolved: memory_limit problem,
    strip_tags() bypassing problem problem description, discussion,
    solution and upgrade information
  2. pending vulnerabilities, solutions, workarounds:
    • sitecopy
    • cadaver
    • freeswan
    • ipsec-tools
    • apache2
    • dhcp/dhcp-server
  3. standard appendix (further information)

1) problem description, brief discussion, solution, upgrade
information

PHP is a well known, widely-used scripting language often used
within web server setups.
Stefan Esser found a problem with the “memory_limit” handling of
PHP which allows remote attackers to execute arbitrary code as the
user running the PHP interpreter. This problem has been fixed.
Additionally a problem within the “strip_tags” function has been
found and fixed which allowed remote attackers to inject arbitrary
tags into certain web browsers, issuing XSS related attacks. Since
there is no easy workaround except disabling PHP, we recommend an
update for users running the PHP interpreter within the apache web
server.

To be sure the update takes effect you have to restart the
apache process by executing the following command as root:

/usr/sbin/rcapache restart

or if you use the apache2 package

/usr/sbin/rcapache2 restart

Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command “rpm -Fhv
file.rpm” to apply the update.
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.

x86 Platform:

SUSE Linux 9.1:

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.11.i586.rpm

efdc7667b7f5d9ee3ef4af428ec7d9ec

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.11.i586.rpm

8cb2d1a863694ced982bfd7a38481c0a

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.11.i586.rpm

7e7435b1ba7bbb4412478360ef5c9572

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.11.i586.rpm

342aeccff4de94fa41e591dc28b4995e

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.11.i586.rpm

e3d5f8e5612bee3b6ba008404f90fb55

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.11.i586.rpm

4f2520897321dcc99c3ba5adb9153ff6
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.11.i586.patch.rpm

dad5281b43fe630aa3db43580afaf76a

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.11.i586.patch.rpm

41c7f677bb593066322f1790766039fd

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.11.i586.patch.rpm

93c1ed2eec77c6e56d3adffa1491dd82

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.11.i586.patch.rpm

7d428eaf1463cac357c0cdcaca9d50d2

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.11.i586.patch.rpm

072871a11fac7bff0f9c5598248fd2ba

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.11.i586.patch.rpm

f53d6ff178db5b81d43dfb2a36cf391f
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/php4-4.3.4-43.11.src.rpm

f83b6501a1f8630e24be36921b5fce49

SUSE Linux 9.0:

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-177.i586.rpm

e50812ce7fb1fb3113d3cae78a85ad5e

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-177.i586.rpm

cdd59314c94b883d2bd5a537b3f43b7b

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3-177.i586.rpm

bda2735824a4ee3cd4cfe9372751939c
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-177.i586.patch.rpm

c3dba68761eefe25a772598cf018fb7e

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-177.i586.patch.rpm

62e775ec9ffea0d6d2f85e225ed63b38

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3-177.i586.patch.rpm

e2513d45b0b22731a05dfde7e3b0448c
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/mod_php4-4.3.3-177.src.rpm

fc2b7442cc450384b2b856831d267385

SUSE Linux 8.2:

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-4.3.1-169.i586.rpm

8be50387c34e6248318ed53e36e2512f

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-core-4.3.1-169.i586.rpm

a3c14b203e93bf64a68e8430a3fb4d86
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-4.3.1-169.i586.patch.rpm

5a8fe03a1a64f41b959562702b1a8f83

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-core-4.3.1-169.i586.patch.rpm

21e0eea787c4da34e03f329bc568ab6d
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mod_php4-4.3.1-169.src.rpm

8e3e2270a3efe3f315099d265f8324de

SUSE Linux 8.1:

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-4.2.2-479.i586.rpm

0ec06130362ed94e55e6bb79a2844a37

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-core-4.2.2-479.i586.rpm

a4d2a49e1f137155578f3f2bde1b5fa2

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-servlet-4.2.2-479.i586.rpm

9142fa285d3710e35c4a3d135b455535
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-4.2.2-479.i586.patch.rpm

1f868989e0920f6aabc665e75c4260f6

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-core-4.2.2-479.i586.patch.rpm

2b091542a122162c83b23fb2f13331ff

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-servlet-4.2.2-479.i586.patch.rpm

d3f9ef5b71017c34e3d17ee1a628b43c
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/mod_php4-4.2.2-479.src.rpm

08bc2803338c266c725191c3e0eeba97

SUSE Linux 8.0:

ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-4.1.0-317.i386.rpm

fdcc67031dd330a79993fe65d7764321

ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-core-4.1.0-317.i386.rpm

73376bc40edef9df878de4bd62eedfa5

ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/mod_php4-servlet-4.1.0-317.i386.rpm

7e33a1da4f9a5500cfe6abee51db3ee3
patch rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-4.1.0-317.i386.patch.rpm

5fca682f3c7f409cac2a059ec7e1bfdb

ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-core-4.1.0-317.i386.patch.rpm

030d6c2af596bd6afb9c7aea694450bb

ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/mod_php4-servlet-4.1.0-317.i386.patch.rpm

caf932e5dfb4951758f41098b80c1ff5
source rpm(s):

ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/mod_php4-4.1.0-317.src.rpm

126bed26b2d74293a00ecb2699efcd8a

x86-64 Platform:

SUSE Linux 9.1:

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.11.x86_64.rpm

90daa6052475e07b8f76f58a86aa6315

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4-43.11.x86_64.rpm

7abfa94cdc7870d68e938a5c8c995be2

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43.11.x86_64.rpm

6a1c8f7b8a3f866e31ed8d5b601975e7

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-43.11.x86_64.rpm

5fa4df5b6f620132cc878f5a48511af7

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4-43.11.x86_64.rpm

151365c7b03323c0b5b68803d94a3b62

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43.11.x86_64.rpm

63a73e34fcb6d6ea0deb1edfb6c0b23b
patch rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.11.x86_64.patch.rpm

497481846ba5a990cb28edc69b5a4222

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4-43.11.x86_64.patch.rpm

8bc486a4a22ba827213c8a199b33e40c

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43.11.x86_64.patch.rpm

fbdea242ea256a6178168ac4d3513d9b

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-43.11.x86_64.patch.rpm

5d082d666c53aa76e443878322a5ef9a

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4-43.11.x86_64.patch.rpm

6775fc0b073ec7cf20ce7a7b18113846

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43.11.x86_64.patch.rpm

ada500d6680eaabd6660abd490e90936
source rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/php4-4.3.4-43.11.src.rpm

edb55d94ded7ecf53c8eecf1f4295a4c

SUSE Linux 9.0:

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-177.x86_64.rpm

9ed20898e90b820937476df2f03fb7d5

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.3-177.x86_64.rpm

dbdb9c40d98990cfb388e208e41db175

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4.3.3-177.x86_64.rpm

16540dcb5bb480448cd0afd8d494f40d
patch rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-177.x86_64.patch.rpm

465038b0c123f5d3240672c11bdc996a

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.3-177.x86_64.patch.rpm

efe5ff6682739a555bf608edc3f7ed92

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4.3.3-177.x86_64.patch.rpm

c7a6e0b12f6064c5ac2590e631325421
source rpm(s):

ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/mod_php4-4.3.3-177.src.rpm

1ce2db40eea8d9b5e43129bc6d66df95


2) Pending vulnerabilities in SUSE Distributions and
Workarounds:

  • sitecopy
    The sitecopy package includes a vulnerable version of the neon
    library (CAN-2004-0179, CAN-2004-0398). New packages are available
    on our ftp servers.
  • cadaver
    The cadaver package includes a vulnerable version of the neon
    library (CAN-2004-0179, CAN-2004-0398). New packages will soon be
    available on our ftp servers.
  • freeswan
    A bug in the certificate chain authentication code could allow an
    attacker to authenticate any host against a FreeS/WAN server by
    presenting specially crafted certificates wrapped in a PKCS#7 file.
    New packages are available on our ftp servers.
  • ipsec-tools
    The racoon daemon which is responsible for handling IKE messages
    fails to reject invalid or self-signed X.509 certificates which
    allows for man-in-the-middle attacks on IPsec tunnels established
    via racoon. New packages are available on our ftp servers.
  • apache2
    A remote Denial of Service condition (CAN-2004-0493) has been fixed
    in Apache2. New packages are available on our ftp servers.
  • dhcp/dhcp-server
    A remotely exploitable buffer overflow has been fixed in the dhcp
    and dhcp-server packages. CERT has assigned VU#654390 to this
    issue. New packages are available on our ftp servers.

3) standard appendix: authenticity verification, additional
information

  • Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers
    all over the world. While this service is being considered valuable
    and important to the free and open source software community, many
    users wish to be sure about the origin of the package and its
    content before installing the package. There are two verification
    methods that can be used independently from each other to prove the
    authenticity of a downloaded file or rpm package:

    1. md5sums as provided in the (cryptographically signed)
      announcement.
    2. using the internal gpg signatures of the rpm package.
    3. execute the command
      md5sum <name-of-the-file.rpm>
      after you downloaded the file from a SUSE ftp server or its
      mirrors. Then, compare the resulting md5sum with the one that is
      listed in the announcement. Since the announcement containing the
      checksums is cryptographically signed (usually using the key
      security@suse.de), the
      checksums show proof of the authenticity of the package. We
      disrecommend to subscribe to security lists which cause the email
      message containing the announcement to be modified so that the
      signature does not match after transport through the mailing list
      software.
      Downsides: You must be able to verify the authenticity of the
      announcement in the first place. If RPM packages are being rebuilt
      and a new version of a package is published on the ftp server, all
      md5 sums for the files are useless.
    4. rpm package signatures provide an easy way to verify the
      authenticity of an rpm package. Use the command
      rpm -v –checksig <file.rpm>
      to verify the signature of the package, where <file.rpm> is
      the filename of the rpm package that you have downloaded. Of
      course, package authenticity verification can only target an
      un-installed rpm package file. Prerequisites:

      1. gpg is installed
      2. The package is signed using a certain key. The public part of
        this key must be installed by the gpg program in the directory
        ~/.gnupg/ under the user’s home directory who performs the
        signature verification (usually root). You can import the key that
        is used by SUSE in rpm packages for SUSE Linux by saving this
        announcement to a file (“announcement.txt”) and running the command
        (do “su -” to be root):
        gpg –batch; gpg < announcement.txt | gpg –import
        SUSE Linux distributions version 7.1 and thereafter install the key
        build@suse.de” upon
        installation or upgrade, provided that the package gpg is
        installed. The file containing the public key is placed at the
        top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
        .
  • SUSE runs two security mailing lists to which any interested
    party may subscribe:

    suse-security@suse.com

  • general/linux/SUSE security discussion.
    All SUSE security announcements are sent to this list. To
    subscribe, send an email to

    <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com

  • SUSE’s announce-only mailing list.
    Only SUSE’s security announcements are sent to this list. To
    subscribe, send an email to

    <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
    send mail to:

    <suse-security-info@suse.com>
    or
    <suse-security-faq@suse.com>
    respectively.


SUSE’s security contact is <security@suse.com> or
<security@suse.de>. The
<security@suse.de>
public key is listed below.


The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.

Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis