SUSE Security Announcement
Package: php4/mod_php4
Announcement-ID: SUSE-SA:2004:021
Date: Friday, Jul 16th 2004 13:00:00 MEST
Affected products: 8.0, 8.1, 8.2, 9.0, 9.1, SuSE Linux Enterprise
Server 8, SuSE Linux Office Server, UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE default package: No.
Cross References: CAN-2004-0594 CAN-2004-0595 http://security.e-matters.de/advisories/112004.html
Content of this advisory:
- security vulnerability resolved: memory_limit problem,
strip_tags() bypassing problem problem description, discussion,
solution and upgrade information - pending vulnerabilities, solutions, workarounds:
- sitecopy
- cadaver
- freeswan
- ipsec-tools
- apache2
- dhcp/dhcp-server
- standard appendix (further information)
1) problem description, brief discussion, solution, upgrade
information
PHP is a well known, widely-used scripting language often used
within web server setups.
Stefan Esser found a problem with the “memory_limit” handling of
PHP which allows remote attackers to execute arbitrary code as the
user running the PHP interpreter. This problem has been fixed.
Additionally a problem within the “strip_tags” function has been
found and fixed which allowed remote attackers to inject arbitrary
tags into certain web browsers, issuing XSS related attacks. Since
there is no easy workaround except disabling PHP, we recommend an
update for users running the PHP interpreter within the apache web
server.
To be sure the update takes effect you have to restart the
apache process by executing the following command as root:
/usr/sbin/rcapache restart
or if you use the apache2 package
/usr/sbin/rcapache2 restart
Please download the update package for your distribution and
verify its integrity by the methods listed in section 3) of this
announcement. Then, install the package using the command “rpm -Fhv
file.rpm” to apply the update.
Our maintenance customers are being notified individually. The
packages are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.11.i586.rpm
efdc7667b7f5d9ee3ef4af428ec7d9ec
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.11.i586.rpm
8cb2d1a863694ced982bfd7a38481c0a
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.11.i586.rpm
7e7435b1ba7bbb4412478360ef5c9572
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.11.i586.rpm
342aeccff4de94fa41e591dc28b4995e
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.11.i586.rpm
e3d5f8e5612bee3b6ba008404f90fb55
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.11.i586.rpm
4f2520897321dcc99c3ba5adb9153ff6
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.11.i586.patch.rpm
dad5281b43fe630aa3db43580afaf76a
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.11.i586.patch.rpm
41c7f677bb593066322f1790766039fd
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.11.i586.patch.rpm
93c1ed2eec77c6e56d3adffa1491dd82
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.11.i586.patch.rpm
7d428eaf1463cac357c0cdcaca9d50d2
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.11.i586.patch.rpm
072871a11fac7bff0f9c5598248fd2ba
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.11.i586.patch.rpm
f53d6ff178db5b81d43dfb2a36cf391f
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/php4-4.3.4-43.11.src.rpm
f83b6501a1f8630e24be36921b5fce49
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-177.i586.rpm
e50812ce7fb1fb3113d3cae78a85ad5e
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-177.i586.rpm
cdd59314c94b883d2bd5a537b3f43b7b
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3-177.i586.rpm
bda2735824a4ee3cd4cfe9372751939c
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-177.i586.patch.rpm
c3dba68761eefe25a772598cf018fb7e
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-177.i586.patch.rpm
62e775ec9ffea0d6d2f85e225ed63b38
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3-177.i586.patch.rpm
e2513d45b0b22731a05dfde7e3b0448c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/mod_php4-4.3.3-177.src.rpm
fc2b7442cc450384b2b856831d267385
SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-4.3.1-169.i586.rpm
8be50387c34e6248318ed53e36e2512f
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-core-4.3.1-169.i586.rpm
a3c14b203e93bf64a68e8430a3fb4d86
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-4.3.1-169.i586.patch.rpm
5a8fe03a1a64f41b959562702b1a8f83
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-core-4.3.1-169.i586.patch.rpm
21e0eea787c4da34e03f329bc568ab6d
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mod_php4-4.3.1-169.src.rpm
8e3e2270a3efe3f315099d265f8324de
SUSE Linux 8.1:
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-4.2.2-479.i586.rpm
0ec06130362ed94e55e6bb79a2844a37
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-core-4.2.2-479.i586.rpm
a4d2a49e1f137155578f3f2bde1b5fa2
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-servlet-4.2.2-479.i586.rpm
9142fa285d3710e35c4a3d135b455535
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-4.2.2-479.i586.patch.rpm
1f868989e0920f6aabc665e75c4260f6
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-core-4.2.2-479.i586.patch.rpm
2b091542a122162c83b23fb2f13331ff
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/mod_php4-servlet-4.2.2-479.i586.patch.rpm
d3f9ef5b71017c34e3d17ee1a628b43c
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/mod_php4-4.2.2-479.src.rpm
08bc2803338c266c725191c3e0eeba97
SUSE Linux 8.0:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-4.1.0-317.i386.rpm
fdcc67031dd330a79993fe65d7764321
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-core-4.1.0-317.i386.rpm
73376bc40edef9df878de4bd62eedfa5
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/mod_php4-servlet-4.1.0-317.i386.rpm
7e33a1da4f9a5500cfe6abee51db3ee3
patch rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-4.1.0-317.i386.patch.rpm
5fca682f3c7f409cac2a059ec7e1bfdb
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/mod_php4-core-4.1.0-317.i386.patch.rpm
030d6c2af596bd6afb9c7aea694450bb
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n3/mod_php4-servlet-4.1.0-317.i386.patch.rpm
caf932e5dfb4951758f41098b80c1ff5
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/mod_php4-4.1.0-317.src.rpm
126bed26b2d74293a00ecb2699efcd8a
x86-64 Platform:
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.11.x86_64.rpm
90daa6052475e07b8f76f58a86aa6315
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4-43.11.x86_64.rpm
7abfa94cdc7870d68e938a5c8c995be2
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43.11.x86_64.rpm
6a1c8f7b8a3f866e31ed8d5b601975e7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-43.11.x86_64.rpm
5fa4df5b6f620132cc878f5a48511af7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4-43.11.x86_64.rpm
151365c7b03323c0b5b68803d94a3b62
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43.11.x86_64.rpm
63a73e34fcb6d6ea0deb1edfb6c0b23b
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.11.x86_64.patch.rpm
497481846ba5a990cb28edc69b5a4222
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4-43.11.x86_64.patch.rpm
8bc486a4a22ba827213c8a199b33e40c
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43.11.x86_64.patch.rpm
fbdea242ea256a6178168ac4d3513d9b
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-43.11.x86_64.patch.rpm
5d082d666c53aa76e443878322a5ef9a
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4-43.11.x86_64.patch.rpm
6775fc0b073ec7cf20ce7a7b18113846
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43.11.x86_64.patch.rpm
ada500d6680eaabd6660abd490e90936
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/php4-4.3.4-43.11.src.rpm
edb55d94ded7ecf53c8eecf1f4295a4c
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-177.x86_64.rpm
9ed20898e90b820937476df2f03fb7d5
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.3-177.x86_64.rpm
dbdb9c40d98990cfb388e208e41db175
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4.3.3-177.x86_64.rpm
16540dcb5bb480448cd0afd8d494f40d
patch rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-177.x86_64.patch.rpm
465038b0c123f5d3240672c11bdc996a
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.3-177.x86_64.patch.rpm
efe5ff6682739a555bf608edc3f7ed92
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4.3.3-177.x86_64.patch.rpm
c7a6e0b12f6064c5ac2590e631325421
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/mod_php4-4.3.3-177.src.rpm
1ce2db40eea8d9b5e43129bc6d66df95
2) Pending vulnerabilities in SUSE Distributions and
Workarounds:
- sitecopy
The sitecopy package includes a vulnerable version of the neon
library (CAN-2004-0179, CAN-2004-0398). New packages are available
on our ftp servers. - cadaver
The cadaver package includes a vulnerable version of the neon
library (CAN-2004-0179, CAN-2004-0398). New packages will soon be
available on our ftp servers. - freeswan
A bug in the certificate chain authentication code could allow an
attacker to authenticate any host against a FreeS/WAN server by
presenting specially crafted certificates wrapped in a PKCS#7 file.
New packages are available on our ftp servers. - ipsec-tools
The racoon daemon which is responsible for handling IKE messages
fails to reject invalid or self-signed X.509 certificates which
allows for man-in-the-middle attacks on IPsec tunnels established
via racoon. New packages are available on our ftp servers. - apache2
A remote Denial of Service condition (CAN-2004-0493) has been fixed
in Apache2. New packages are available on our ftp servers. - dhcp/dhcp-server
A remotely exploitable buffer overflow has been fixed in the dhcp
and dhcp-server packages. CERT has assigned VU#654390 to this
issue. New packages are available on our ftp servers.
3) standard appendix: authenticity verification, additional
information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers
all over the world. While this service is being considered valuable
and important to the free and open source software community, many
users wish to be sure about the origin of the package and its
content before installing the package. There are two verification
methods that can be used independently from each other to prove the
authenticity of a downloaded file or rpm package:- md5sums as provided in the (cryptographically signed)
announcement. - using the internal gpg signatures of the rpm package.
- execute the command
md5sum <name-of-the-file.rpm>
after you downloaded the file from a SUSE ftp server or its
mirrors. Then, compare the resulting md5sum with the one that is
listed in the announcement. Since the announcement containing the
checksums is cryptographically signed (usually using the key
security@suse.de), the
checksums show proof of the authenticity of the package. We
disrecommend to subscribe to security lists which cause the email
message containing the announcement to be modified so that the
signature does not match after transport through the mailing list
software.
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless. - rpm package signatures provide an easy way to verify the
authenticity of an rpm package. Use the command
rpm -v –checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is
the filename of the rpm package that you have downloaded. Of
course, package authenticity verification can only target an
un-installed rpm package file. Prerequisites:- gpg is installed
- The package is signed using a certain key. The public part of
this key must be installed by the gpg program in the directory
~/.gnupg/ under the user’s home directory who performs the
signature verification (usually root). You can import the key that
is used by SUSE in rpm packages for SUSE Linux by saving this
announcement to a file (“announcement.txt”) and running the command
(do “su -” to be root):
gpg –batch; gpg < announcement.txt | gpg –import
SUSE Linux distributions version 7.1 and thereafter install the key
“build@suse.de” upon
installation or upgrade, provided that the package gpg is
installed. The file containing the public key is placed at the
top-level directory of the first CD (pubring.gpg) and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de
.
- md5sums as provided in the (cryptographically signed)
- SUSE runs two security mailing lists to which any interested
party may subscribe: - general/linux/SUSE security discussion.
All SUSE security announcements are sent to this list. To
subscribe, send an email to - SUSE’s announce-only mailing list.
Only SUSE’s security announcements are sent to this list. To
subscribe, send an email to<suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq)
send mail to:<suse-security-info@suse.com>
or
<suse-security-faq@suse.com>
respectively.
SUSE’s security contact is <security@suse.com> or
<security@suse.de>. The
<security@suse.de>
public key is listed below.
The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, it is desired that the clear-text signature shows
proof of the authenticity of the text.
SUSE Linux AG makes no warranties of any kind whatsoever with
respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID
pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>