LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 28th, 2014
Linux Advisory Watch: November 21st, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
RedHat: Important: php security update Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
RedHat Linux Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1. This update has been rated as having important security impact by the Red Hat Security Response Team.
- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Important: php security update
Advisory ID:       RHSA-2007:0154-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0154.html
Issue date:        2007-04-16
Updated on:        2007-04-16
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-1285 CVE-2007-1286 CVE-2007-1711 
- ---------------------------------------------------------------------

1. Summary:

Updated PHP packages that fix several security issues are now available for
Red Hat Enterprise Linux 2.1.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386

3. Problem description:

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server. 

A denial of service flaw was found in the way PHP processed a deeply nested
array. A remote attacker could cause the PHP interpreter to crash by
submitting an input variable with a deeply nested array. (CVE-2007-1285)

A flaw was found in the way PHP's unserialize() function processes data. If
a remote attacker is able to pass arbitrary data to PHP's unserialize()
function, it may be possible for them to execute arbitrary code as the
apache user. (CVE-2007-1286)

A double free flaw was found in PHP's session_decode() function. If a
remote attacker is able to pass arbitrary data to PHP's session_decode()
function, it may be possible for them to execute arbitrary code as the
apache user. (CVE-2007-1711)

Users of PHP should upgrade to these updated packages which contain
backported patches to correct these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

235225 - CVE-2007-1285 Multiple "Month of PHP Bugs" PHP issues (CVE-2007-1286, CVE-2007-1711)

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/php-4.1.2-2.17.src.rpm
9820e0982acdf72a0f8c9af02f4e5f6a  php-4.1.2-2.17.src.rpm

i386:
856a5725715e6d970d7fe5fce209780c  php-4.1.2-2.17.i386.rpm
98b74cc772436080d6f1b0b08e4a5690  php-devel-4.1.2-2.17.i386.rpm
403e01c242b079c3988c25c6406c3734  php-imap-4.1.2-2.17.i386.rpm
e2cc407fd74569e37e95f27f0aa0c873  php-ldap-4.1.2-2.17.i386.rpm
b6876b825654e6dd9cd5b400da47611c  php-manual-4.1.2-2.17.i386.rpm
442f5cacbbf06f9a3b6e1d359c9acd55  php-mysql-4.1.2-2.17.i386.rpm
8ba4b70e2f358f4c35775b90b955e88e  php-odbc-4.1.2-2.17.i386.rpm
03b45786fdaea33bcc179b2d375f9995  php-pgsql-4.1.2-2.17.i386.rpm

ia64:
f03338d56473c9c2af996e5de897d843  php-4.1.2-2.17.ia64.rpm
d3d03471a50878eb9330ca226ce47da9  php-devel-4.1.2-2.17.ia64.rpm
efe489bd298c35685ba6127ebcb67575  php-imap-4.1.2-2.17.ia64.rpm
a35e27188fb680cd0f192ea85065f7ae  php-ldap-4.1.2-2.17.ia64.rpm
22aed8fc2144c5e23ffb65aeb792b8fa  php-manual-4.1.2-2.17.ia64.rpm
abc59cffe540ebdc24d968ae3bb716c7  php-mysql-4.1.2-2.17.ia64.rpm
58fefa66509e3babfecb58f2642116e8  php-odbc-4.1.2-2.17.ia64.rpm
c603a39fcf3876c7e6123c6725e12b8e  php-pgsql-4.1.2-2.17.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/php-4.1.2-2.17.src.rpm
9820e0982acdf72a0f8c9af02f4e5f6a  php-4.1.2-2.17.src.rpm

ia64:
f03338d56473c9c2af996e5de897d843  php-4.1.2-2.17.ia64.rpm
d3d03471a50878eb9330ca226ce47da9  php-devel-4.1.2-2.17.ia64.rpm
efe489bd298c35685ba6127ebcb67575  php-imap-4.1.2-2.17.ia64.rpm
a35e27188fb680cd0f192ea85065f7ae  php-ldap-4.1.2-2.17.ia64.rpm
22aed8fc2144c5e23ffb65aeb792b8fa  php-manual-4.1.2-2.17.ia64.rpm
abc59cffe540ebdc24d968ae3bb716c7  php-mysql-4.1.2-2.17.ia64.rpm
58fefa66509e3babfecb58f2642116e8  php-odbc-4.1.2-2.17.ia64.rpm
c603a39fcf3876c7e6123c6725e12b8e  php-pgsql-4.1.2-2.17.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/php-4.1.2-2.17.src.rpm
9820e0982acdf72a0f8c9af02f4e5f6a  php-4.1.2-2.17.src.rpm

i386:
856a5725715e6d970d7fe5fce209780c  php-4.1.2-2.17.i386.rpm
98b74cc772436080d6f1b0b08e4a5690  php-devel-4.1.2-2.17.i386.rpm
403e01c242b079c3988c25c6406c3734  php-imap-4.1.2-2.17.i386.rpm
e2cc407fd74569e37e95f27f0aa0c873  php-ldap-4.1.2-2.17.i386.rpm
b6876b825654e6dd9cd5b400da47611c  php-manual-4.1.2-2.17.i386.rpm
442f5cacbbf06f9a3b6e1d359c9acd55  php-mysql-4.1.2-2.17.i386.rpm
8ba4b70e2f358f4c35775b90b955e88e  php-odbc-4.1.2-2.17.i386.rpm
03b45786fdaea33bcc179b2d375f9995  php-pgsql-4.1.2-2.17.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/php-4.1.2-2.17.src.rpm
9820e0982acdf72a0f8c9af02f4e5f6a  php-4.1.2-2.17.src.rpm

i386:
856a5725715e6d970d7fe5fce209780c  php-4.1.2-2.17.i386.rpm
98b74cc772436080d6f1b0b08e4a5690  php-devel-4.1.2-2.17.i386.rpm
403e01c242b079c3988c25c6406c3734  php-imap-4.1.2-2.17.i386.rpm
e2cc407fd74569e37e95f27f0aa0c873  php-ldap-4.1.2-2.17.i386.rpm
b6876b825654e6dd9cd5b400da47611c  php-manual-4.1.2-2.17.i386.rpm
442f5cacbbf06f9a3b6e1d359c9acd55  php-mysql-4.1.2-2.17.i386.rpm
8ba4b70e2f358f4c35775b90b955e88e  php-odbc-4.1.2-2.17.i386.rpm
03b45786fdaea33bcc179b2d375f9995  php-pgsql-4.1.2-2.17.i386.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1711
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.