Fedora: php Multiple vulnerabilities
Summary
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated webpages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts. The
mod_php module enables the Apache Web server to understand and process
the embedded PHP language in Web pages.
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated webpages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts. The
mod_php module enables the Apache Web server to understand and process
the embedded PHP language in Web pages.
Update Information:
This update includes the latest release of PHP 4, including fixes for
security issues in memory limit handling (CVE CAN-2004-0594), and the
strip_tags function (CVE CAN-2004-0595). CAN-2004-0595 is not known
to be exploitable in the default configuration if using httpd 2.0.50,
but can be triggered if the "register_globals" setting has been
enabled. CAN-2004-0595 can allow a possible cross-site-scripting
attack with some browsers.
The mbstring extension has been moved into the php-mbstring subpackage
in this update to reduce the overall package size.
* Fri Jul 16 2004 Joe Orton <jorton@redhat.com> 4.3.8-2.1
- revert upstream default php.ini change since 4.3.6
- add three FD_SETSIZE changes to main/network.c (#125258)
* Wed Jul 14 2004 Joe Orton <jorton@redhat.com> 4.3.8-2.0
- update to 4.3.8
- add gmp_powm fix (Oskari Saarenmaa, #124318)
- split out mbstring extension into php-mbstring subpackage
- fix rebuild without bison/flex
- have -devel require php of same release
- add fixes for memory handling in 2.0 handler SAPI
This update can be downloaded from:
13c752c5f7f5a6564f2f6bd5bc8e7b0e SRPMS/php-4.3.8-2.1.src.rpm
65095fc26ad128d360997f903561b7d5 x86_64/php-4.3.8-2.1.x86_64.rpm
3b15e51fc58965ce96756a71f1c5b5de x86_64/php-devel-4.3.8-2.1.x86_64.rpm
231d87f5d179c2b3b05f5c32414d14cd x86_64/php-pear-4.3.8-2.1.x86_64.rpm
f9c27929bf99768ce5b59b26f73bccb2 x86_64/php-imap-4.3.8-2.1.x86_64.rpm
7ff188fe29a3d35239e22b5e0ceaa8f7 x86_64/php-ldap-4.3.8-2.1.x86_64.rpm
31df367d75e1983a35cb72fd3b139868 x86_64/php-mysql-4.3.8-2.1.x86_64.rpm
203e65f95c421e7349a1ab756cf82bde x86_64/php-pgsql-4.3.8-2.1.x86_64.rpm
dd98e42d71494638ac839a16636e1550 x86_64/php-odbc-4.3.8-2.1.x86_64.rpm
8d901500f5d1f5ff28b33d7970e22c99 x86_64/php-snmp-4.3.8-2.1.x86_64.rpm
1f497d638c34ae5712261fdf3553148c x86_64/php-domxml-4.3.8-2.1.x86_64.rpm
76ecadb87e33d92c75c3f87d0cea0453 x86_64/php-xmlrpc-4.3.8-2.1.x86_64.rpm
8901decbda81636ac02176440ccd3172 x86_64/php-mbstring-4.3.8-2.1.x86_64.rpm
6124e792f031f33d967c703d3d00e5e1 x86_64/debug/php-debuginfo-4.3.8-2.1.x86_64.rpm
3c614e351ee3bf2edd4bcccdaac730ae i386/php-4.3.8-2.1.i386.rpm
5b2dd8c438bdbee268f1ee895c60fda1 i386/php-devel-4.3.8-2.1.i386.rpm
6f08f5d2b259835ad514ea55c4c6f87c i386/php-pear-4.3.8-2.1.i386.rpm
e0fbef311d2b603e6a95e4bcf10ed57d i386/php-imap-4.3.8-2.1.i386.rpm
71211809dc9bfe8671d6c41f4ff33d46 i386/php-ldap-4.3.8-2.1.i386.rpm
22425aa3497a0b208475dc0a0c8b8cfe i386/php-mysql-4.3.8-2.1.i386.rpm
1e086cc08143bb9380bfa5a2d659cdcb i386/php-pgsql-4.3.8-2.1.i386.rpm
fbd12ada7afe1ff85e308d157151528c i386/php-odbc-4.3.8-2.1.i386.rpm
503d75c815dd91a743e837ed5ab25f47 i386/php-snmp-4.3.8-2.1.i386.rpm
aeb98c24a1d782c9341526cdc9a58c92 i386/php-domxml-4.3.8-2.1.i386.rpm
0ba0a4d9676be8ca3589b3498ef83323 i386/php-xmlrpc-4.3.8-2.1.i386.rpm
c1f7cf35bfe5091d720d65d4515ea9ae i386/php-mbstring-4.3.8-2.1.i386.rpm
fb4e286644c2b5b4bc6f3c833fb60312 i386/debug/php-debuginfo-4.3.8-2.1.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
CORE 1:
Fedora Update Notification
FEDORA-2004-222
2004-07-23
Product : Fedora Core 1
Name : php
Version : 4.3.8
Release : 1.1
Summary : The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor)
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated webpages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts. The
mod_php module enables the Apache Web server to understand and process
the embedded PHP language in Web pages.
This update includes the latest release of PHP 4, including fixes for
security issues in memory limit handling (CVE CAN-2004-0594), and the
strip_tags function (CVE CAN-2004-0595). CAN-2004-0595 is not known
to be exploitable in the default configuration if using httpd 2.0.50,
but can be triggered if the "register_globals" setting has been
enabled. CAN-2004-0595 can allow a possible cross-site-scripting
attack with some browsers.
The mbstring extension has been moved into the php-mbstring subpackage
in this update to reduce the overall package size.
* Fri Jul 16 2004 Joe Orton <jorton@redhat.com> 4.3.8-1.1
- revert default php.ini change since 4.3.6
- add three FD_SETSIZE changes to main/network.c (#125258)
* Wed Jul 14 2004 Joe Orton <jorton@redhat.com> 4.3.8-1.0
- update to 4.3.8
- add gmp_powm fix (Oskari Saarenmaa, #124318)
- split out mbstring extension into php-mbstring subpackage
- fix rebuild without bison/flex
- have -devel require php of same release
- add fixes for memory handling in 2.0 handler SAPI
This update can be downloaded from:
13270796ce376c10185c0b9288650641 SRPMS/php-4.3.8-1.1.src.rpm
1cd156c31e2b369bf720c68ff4813577 x86_64/php-4.3.8-1.1.x86_64.rpm
4a94cdd98c57ccb6d422c6258a88c01c x86_64/php-devel-4.3.8-1.1.x86_64.rpm
b945776c8e0fab2d752b2f6ac0449884 x86_64/php-imap-4.3.8-1.1.x86_64.rpm
ddc13f90bb07d79cf331492fa0405924 x86_64/php-ldap-4.3.8-1.1.x86_64.rpm
76d3ec1db4632b8326ec53ce0d0b2351 x86_64/php-mysql-4.3.8-1.1.x86_64.rpm
474fb0bea6a77c73a137c9a174f88b09 x86_64/php-pgsql-4.3.8-1.1.x86_64.rpm
5282e7fc9eac5ba97daad437036f5a88 x86_64/php-odbc-4.3.8-1.1.x86_64.rpm
6bb844093e443af67dbf7d922c70743e x86_64/php-snmp-4.3.8-1.1.x86_64.rpm
47d22c9f1b48dfd4a7b8edc45c352c8d x86_64/php-domxml-4.3.8-1.1.x86_64.rpm
d69b3c22927b2e7d3f43d584530fcdc0 x86_64/php-xmlrpc-4.3.8-1.1.x86_64.rpm
3121513c6c0b02c04dfd8f1a1551ebc8 x86_64/php-mbstring-4.3.8-1.1.x86_64.rpm
746ec0a2c9f4e6624b9e187c99a36c17 x86_64/debug/php-debuginfo-4.3.8-1.1.x86_64.rpm
416d885c0a0c38f62c6160729dfaddca i386/php-4.3.8-1.1.i386.rpm
5e16fd3ed5e269c5dcc08f78f978ff29 i386/php-devel-4.3.8-1.1.i386.rpm
ba5c16182ef769ba51ac1eeb8c661e0a i386/php-imap-4.3.8-1.1.i386.rpm
91c7ec599d536e8cffd998eaf1a9ccb2 i386/php-ldap-4.3.8-1.1.i386.rpm
760b1d2e855030f5c2fbb9302a3e444a i386/php-mysql-4.3.8-1.1.i386.rpm
4a6639e2bd64da1d1ecac5db68ec26cb i386/php-pgsql-4.3.8-1.1.i386.rpm
ee450e16caaaf71e86ec322ff6e87034 i386/php-odbc-4.3.8-1.1.i386.rpm
717964e60fd8f9a0035dfb42a649000e i386/php-snmp-4.3.8-1.1.i386.rpm
703cc32c7b7a78e05b411d473e2efc7f i386/php-domxml-4.3.8-1.1.i386.rpm
8c278827e58988eb9db98bfb03f4d77a i386/php-xmlrpc-4.3.8-1.1.i386.rpm
6d4238cea2f80e11b084bb47342a5a9c i386/php-mbstring-4.3.8-1.1.i386.rpm
2b9af26a3f62c7657586e25f47e2b381 i386/debug/php-debuginfo-4.3.8-1.1.i386.rpm
This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
Change Log
References
CORE 2: Fedora Update Notification FEDORA-2004-223 2004-07-23 Product : Fedora Core 2 Name : php Version : 4.3.8 Release : 2.1 Summary : The PHP HTML-embedded scripting language. (PHP: Hypertext Preprocessor) Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages.