-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SUSE Security Announcement

        Package:                php4, php5
        Announcement-ID:        SUSE-SA:2005:023
        Date:                   Fri, 15 Apr 2005 12:00:00 +0000
        Affected products:      8.2, 9.0, 9.1, 9.2, 9.3
                                SUSE Linux Enterprise Server 8, 9

        Vulnerability Type:     remote denial of service
        Severity (1-10):        5
        SUSE default package:   no
        Cross References:       CAN-2005-0524
                                CAN-2005-0525


    Content of this advisory:
        1) security vulnerability resolved:
             php4 / php5 denial of service attack
           problem description
        2) solution/workaround
        3) special instructions and notes
        4) package location and checksums
        5) pending vulnerabilities, solutions, workarounds:
            none
        6) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion

    This update fixes the following security issues in the PHP scripting
    language:

    - A bug in getimagesize() EXIF handling which could lead to a denial of
      service attack.

      This is tracked by the Mitre CVE IDs  CAN-2005-0524 and CAN-2005-0525.

    Additionally this non-security bug was fixed:
    - Performance problems of unserialize() caused by previous security
      fix to unserialize were fixed.

    All SUSE Linux based distributions shipping php4 and php5 were affected.

2) solution/workaround

    Please install the upgraded packages.

3) special instructions and notes

    Please make sure you restart the web server after this update.

4) package location and checksums

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.


    x86 Platform:

    SUSE Linux 9.3:
               092b41e835df38140ce84a57a8a19291
               859c59423121af7fc782187b67ac9eb2
               998bb2eee2ccb49db4889f9064520212
               8e5903503b80b7235e253d9b8b59904f
               b6e4b7080e54cb4ca2b970817d7a7202
               5f14cca638d59b161c3db68cc378c237
               726545e66501ea788cb278804071bfe3
               c201b0e680713340312baef2b8629252
               356d41447026e2c29658b4be3ba18b95
               63b4c9099189788fc6c6fee76d4b0d6f
               5b5d43fc648f6d54a36dbd475c075e0d
               f64d969e257eebc6756b018fd2609638
               7e70d9b50cb54250c26953ada098a381
               05fad72084e61a4df8a3acd1ff08f798

    SUSE Linux 9.2:
               30fc3c59fab61fa89944dec7db94d26e
               ba2c67dd1c709dff17168eaebd8e145f
               6d4a22a613dc64a3699d27ce09f9f255
               fdbd8f94484d41142f51af35b18b8b97
               78a39683a5496885464c8a7bb5ebdd82
               70a081d38fa56e51c4e357dd0a7c3a73
               ae7974ce3c6e62fea4687a13eefa1f43
               a9d235e734d2ac2e876048173900e392

    SUSE Linux 9.1:
               b7aead2cb147c681e0efb34cb0012d56
               bf8e4ccdcc94b8ff6aa9e50738d5652e
               cbeec3026b9274969a61421ec0b5d15f
               65b3a8046f7622973b7a7d0b8a388a9a
               dc7b8514735b01887158b9666cb09cc1
               7872f4539151e9055a0c3a05bcc53340
               e6c0896439221b47ac95bd5b81347030
               879bb81a1e99f0f1abc9f9297ef78afb
               7640c6d169b4ee0bb7beace768ebd3bf
               091a8ca814be21d0dca4473214151ab4
               f836d57b333b0854f77831f947a29939
               d0ce400b95af15df2c2ff93cefc27f6f
               153fe65a00f9c83ed6e3e9d8ac58bcd7
    source rpm(s):
               6cd11704fb5dcba94fef2efe304ce6ae

    SUSE Linux 9.0:
               8e9e46631279dfec913dbccc3507a04d
               4b817d14ea8cfa471d2b7da231bc9c04
               01cde19877d4cdb7241183c29d799a40
               2f3b9eaea64686556524d4b6a3712b44
               9ffcd67d307dac6d4d2b35c8f2e19269
               f381038385a6634a0191daa3da1d8ea8
    source rpm(s):
               ba28af987d39a5eb456574fc0fb95828

    SUSE Linux 8.2:
               e2afaa2f21bfd29e5689fb66e87bc7c4
               7056ee242089ad9889c9109d7ba58bfa
               8af8e5ba3e8a69737b695f3df2886c43
               cc17c23d79a92b7d73db7015343fec6f
               792e5ca40d4b7416e50a7c5d8305cc76
    source rpm(s):
               33395ed1d8a162e7bca09fc93ef6ed68
  
    x86-64 Platform:

    SUSE Linux 9.3:
               121aad084e9f90b7e8d29c373b02244b
               9d4dd7ba5c8d91d1457d665bcf0aebbb
               878e379e96e2c372963df3da299a15eb
               e00307757dcad75e470ba669a703028f
               06a496f60998c7201cf185ee474cd43d
               0635a305efff157be56155c721db1cff
               281d0cc5a831edfd3c50a678f0fa74ac
               edbcb8ca2bab9aa26c799e86526386d9
               72d4e5c520f32be6719efd1a744fad3e
               c7a90df0de9500399421a565c2828d9c
               8cdb9d138bb757dff6906e5bd44eda68
               06152a5ab1352458a8a339813df012b0
               fbb8306bf72ee918ec6b7a5804f52857
    source rpm(s):
               2623d3f94ea8e6bd801249f7b79c0e09
               9026dde16cdf291cfae85d8a8e5b266b

    SUSE Linux 9.2:
               74e80d4996883b92ae30b1aea5a24d3d
               b7e113e58096dee64975ad09075b058e
               dc2697c70c101c3c16133e45aad4eb05
               0904155bbb6b3bf8a275bd7a7780c356
               472e3a708e7f6f1774dce421d1c06067
               4f1402d04098100f10a7910685b17d45
               ae473a3e1e8177d711a98d7f85a43db1
    source rpm(s):
               be3087c034218ea830c64dfcfc20fd5d

    SUSE Linux 9.1:
               8aedd4ae5089b6ad1628a46e962e10c5
               bd38471abb2b27c6e0f104a05ae3dec5
               6db8f9c47c5c3df1acfeb874b87b87af
               83acb944933f86d8752eb1c0b79d51fd
               eb10c12b4dda00a723fd2481cb0d9431
               6f0f093744f78d3a01f22ee750ee41b9
               be1d5285711535911577202e61eea27f
               0e7c2f8ee85bac2b33d0669004c93781
               e614abf4e2de40ce21bd05a6c0e7b4da
               e769eeaa2674e0090abfd8e97f4a6cb7
               eb9953ae01fbdaae89b1010d8bb89fbd
               0a5fd6e2d6caa31edd14e7bb87d45a90
               6507908da0b26e98739bc21d3af623fe
    source rpm(s):
               2ce604b9c1f50575bae7fdcf1736e40a
 
    SUSE Linux 9.0:
               adb3475c4da5623ae3a83e82f0369340
               082261652c7fa03cd2dda0101c03e2a7
               c4cd316278e841f0a9ea8c3448fe0c63
               427d132d1682e628abf972d353e30113
               5a5e7041c2d74a6736cc07a095764b4b
               76cf3f75df2341b03c58b7ddaeb4bad4
    source rpm(s):
               b9b4f1b5fa5edac29c606ca3b03c041c


______________________________________________________________________________

5)  Pending vulnerabilities in SUSE Distributions and Workarounds:

    none
______________________________________________________________________________

6)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum 
       after you downloaded the file from a SUSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key security@suse.de),
       the checksums show proof of the authenticity of the package.
       We disrecommend to subscribe to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig 
       to verify the signature of the package, where  is the
       filename of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an un-installed rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SUSE in rpm packages for SUSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SUSE Linux distributions version 7.1 and thereafter install the
           key "build@suse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the top-level directory of the first CD (pubring.gpg)
           and at  .


  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an email to
                .

    suse-security-announce@suse.com
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an email to
                .

    For general information or the frequently asked questions (faq)
    send mail to:
         or
         respectively.

    ====================================================================    SUSE's security contact is  or .
    The  public key is listed below.
    ====================================================================

SuSE: 2005-023: php remote denial of service Security Update

April 15, 2005
This update fixes the following security issues in the PHP scripting This update fixes the following security issues in the PHP scripting language: language: - A bug in getim...

Summary


-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SUSE Security Announcement

        Package:                php4, php5
        Announcement-ID:        SUSE-SA:2005:023
        Date:                   Fri, 15 Apr 2005 12:00:00 +0000
        Affected products:      8.2, 9.0, 9.1, 9.2, 9.3
                                SUSE Linux Enterprise Server 8, 9

        Vulnerability Type:     remote denial of service
        Severity (1-10):        5
        SUSE default package:   no
        Cross References:       CAN-2005-0524
                                CAN-2005-0525


    Content of this advisory:
        1) security vulnerability resolved:
             php4 / php5 denial of service attack
           problem description
        2) solution/workaround
        3) special instructions and notes
        4) package location and checksums
        5) pending vulnerabilities, solutions, workarounds:
            none
        6) standard appendix (further information)

______________________________________________________________________________

1) problem description, brief discussion

    This update fixes the following security issues in the PHP scripting
    language:

    - A bug in getimagesize() EXIF handling which could lead to a denial of
      service attack.

      This is tracked by the Mitre CVE IDs  CAN-2005-0524 and CAN-2005-0525.

    Additionally this non-security bug was fixed:
    - Performance problems of unserialize() caused by previous security
      fix to unserialize were fixed.

    All SUSE Linux based distributions shipping php4 and php5 were affected.

2) solution/workaround

    Please install the upgraded packages.

3) special instructions and notes

    Please make sure you restart the web server after this update.

4) package location and checksums

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.


    x86 Platform:

    SUSE Linux 9.3:
               092b41e835df38140ce84a57a8a19291
               859c59423121af7fc782187b67ac9eb2
               998bb2eee2ccb49db4889f9064520212
               8e5903503b80b7235e253d9b8b59904f
               b6e4b7080e54cb4ca2b970817d7a7202
               5f14cca638d59b161c3db68cc378c237
               726545e66501ea788cb278804071bfe3
               c201b0e680713340312baef2b8629252
               356d41447026e2c29658b4be3ba18b95
               63b4c9099189788fc6c6fee76d4b0d6f
               5b5d43fc648f6d54a36dbd475c075e0d
               f64d969e257eebc6756b018fd2609638
               7e70d9b50cb54250c26953ada098a381
               05fad72084e61a4df8a3acd1ff08f798

    SUSE Linux 9.2:
               30fc3c59fab61fa89944dec7db94d26e
               ba2c67dd1c709dff17168eaebd8e145f
               6d4a22a613dc64a3699d27ce09f9f255
               fdbd8f94484d41142f51af35b18b8b97
               78a39683a5496885464c8a7bb5ebdd82
               70a081d38fa56e51c4e357dd0a7c3a73
               ae7974ce3c6e62fea4687a13eefa1f43
               a9d235e734d2ac2e876048173900e392

    SUSE Linux 9.1:
               b7aead2cb147c681e0efb34cb0012d56
               bf8e4ccdcc94b8ff6aa9e50738d5652e
               cbeec3026b9274969a61421ec0b5d15f
               65b3a8046f7622973b7a7d0b8a388a9a
               dc7b8514735b01887158b9666cb09cc1
               7872f4539151e9055a0c3a05bcc53340
               e6c0896439221b47ac95bd5b81347030
               879bb81a1e99f0f1abc9f9297ef78afb
               7640c6d169b4ee0bb7beace768ebd3bf
               091a8ca814be21d0dca4473214151ab4
               f836d57b333b0854f77831f947a29939
               d0ce400b95af15df2c2ff93cefc27f6f
               153fe65a00f9c83ed6e3e9d8ac58bcd7
    source rpm(s):
               6cd11704fb5dcba94fef2efe304ce6ae

    SUSE Linux 9.0:
               8e9e46631279dfec913dbccc3507a04d
               4b817d14ea8cfa471d2b7da231bc9c04
               01cde19877d4cdb7241183c29d799a40
               2f3b9eaea64686556524d4b6a3712b44
               9ffcd67d307dac6d4d2b35c8f2e19269
               f381038385a6634a0191daa3da1d8ea8
    source rpm(s):
               ba28af987d39a5eb456574fc0fb95828

    SUSE Linux 8.2:
               e2afaa2f21bfd29e5689fb66e87bc7c4
               7056ee242089ad9889c9109d7ba58bfa
               8af8e5ba3e8a69737b695f3df2886c43
               cc17c23d79a92b7d73db7015343fec6f
               792e5ca40d4b7416e50a7c5d8305cc76
    source rpm(s):
               33395ed1d8a162e7bca09fc93ef6ed68
  
    x86-64 Platform:

    SUSE Linux 9.3:
               121aad084e9f90b7e8d29c373b02244b
               9d4dd7ba5c8d91d1457d665bcf0aebbb
               878e379e96e2c372963df3da299a15eb
               e00307757dcad75e470ba669a703028f
               06a496f60998c7201cf185ee474cd43d
               0635a305efff157be56155c721db1cff
               281d0cc5a831edfd3c50a678f0fa74ac
               edbcb8ca2bab9aa26c799e86526386d9
               72d4e5c520f32be6719efd1a744fad3e
               c7a90df0de9500399421a565c2828d9c
               8cdb9d138bb757dff6906e5bd44eda68
               06152a5ab1352458a8a339813df012b0
               fbb8306bf72ee918ec6b7a5804f52857
    source rpm(s):
               2623d3f94ea8e6bd801249f7b79c0e09
               9026dde16cdf291cfae85d8a8e5b266b

    SUSE Linux 9.2:
               74e80d4996883b92ae30b1aea5a24d3d
               b7e113e58096dee64975ad09075b058e
               dc2697c70c101c3c16133e45aad4eb05
               0904155bbb6b3bf8a275bd7a7780c356
               472e3a708e7f6f1774dce421d1c06067
               4f1402d04098100f10a7910685b17d45
               ae473a3e1e8177d711a98d7f85a43db1
    source rpm(s):
               be3087c034218ea830c64dfcfc20fd5d

    SUSE Linux 9.1:
               8aedd4ae5089b6ad1628a46e962e10c5
               bd38471abb2b27c6e0f104a05ae3dec5
               6db8f9c47c5c3df1acfeb874b87b87af
               83acb944933f86d8752eb1c0b79d51fd
               eb10c12b4dda00a723fd2481cb0d9431
               6f0f093744f78d3a01f22ee750ee41b9
               be1d5285711535911577202e61eea27f
               0e7c2f8ee85bac2b33d0669004c93781
               e614abf4e2de40ce21bd05a6c0e7b4da
               e769eeaa2674e0090abfd8e97f4a6cb7
               eb9953ae01fbdaae89b1010d8bb89fbd
               0a5fd6e2d6caa31edd14e7bb87d45a90
               6507908da0b26e98739bc21d3af623fe
    source rpm(s):
               2ce604b9c1f50575bae7fdcf1736e40a
 
    SUSE Linux 9.0:
               adb3475c4da5623ae3a83e82f0369340
               082261652c7fa03cd2dda0101c03e2a7
               c4cd316278e841f0a9ea8c3448fe0c63
               427d132d1682e628abf972d353e30113
               5a5e7041c2d74a6736cc07a095764b4b
               76cf3f75df2341b03c58b7ddaeb4bad4
    source rpm(s):
               b9b4f1b5fa5edac29c606ca3b03c041c


______________________________________________________________________________

5)  Pending vulnerabilities in SUSE Distributions and Workarounds:

    none
______________________________________________________________________________

6)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum 
       after you downloaded the file from a SUSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key security@suse.de),
       the checksums show proof of the authenticity of the package.
       We disrecommend to subscribe to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig 
       to verify the signature of the package, where  is the
       filename of the rpm package that you have downloaded. Of course,
       package authenticity verification can only target an un-installed rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SUSE in rpm packages for SUSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SUSE Linux distributions version 7.1 and thereafter install the
           key "build@suse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the top-level directory of the first CD (pubring.gpg)
           and at  .


  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an email to
                .

    suse-security-announce@suse.com
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an email to
                .

    For general information or the frequently asked questions (faq)
    send mail to:
         or
         respectively.

    ====================================================================    SUSE's security contact is  or .
    The  public key is listed below.
    ====================================================================

References

Severity

Related News

11.Locks IsometricPattern Esm H320
2 - 3 min read
The Kinsing hacker group, or H2Miner, has been orchestrating illicit cryptocurrency mining campaigns since 2019 and poses a persistent security
32.Lock Code Circular Esm H320
2 - 3 min read
The Kimsuky APT group, reportedly linked to North Korea's Reconnaissance General Bureau (RGB), has been identified deploying a Linux version of its
4.Lock AbstractDigital Esm H320
2 - 3 min read
Recent research sheds light on the security vulnerabilities prevalent in Linux vendor kernels due to flawed engineering processes that backport
28.Lock Globe Esm H320
1 - 2 min read
The intersection of Linux and quantum computing has become increasingly apparent, emphasizing the importance of Linux-based operating systems in
6.EmailConnection Touch Esm H320
2 - 3 min read
Recent security updates for Ubuntu and Debian have been released to address vulnerabilities in Thunderbird, the popular open-source mail and
30.Lock Globe Motherboard Esm H320
1 - 2 min read
As cybersecurity practitioners, we are no strangers to the constant threat of malicious actors and the importance of remaining vigilant to protect
22.Lock ScreenEffect Esm H320
1 - 2 min read
EndeavorOS Gemini is a captivating and charming desktop operating system based on Arch Linux. The new release includes a kernel upgrade, 3D graphics
25.@Sign Hook Keyboard Esm H320
1 min read
Cyber risk is increasing for individuals and organizations, making flexible and robust solutions for identifying spam and malware increasingly

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved