-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  PHP local security issue (SSA:2004-154-02)

New PHP packages are available for Slackware 8.1, 9.0, 9.1, and -current
to fix a security issue.  These fix a problem in previous Slackware php
packages where linking PHP against a static library in an insecure path
(under /tmp) could allow a local attacker to place shared libraries at
this location causing PHP to crash, or to execute arbitrary code as the
PHP user (which is by default, "nobody").

Thanks to Bryce Nichols for researching and reporting this issue.


Here are the details from the Slackware 9.1 ChangeLog:
+--------------------------+
Wed Jun  2 11:28:17 PDT 2004
patches/packages/php-4.3.6-i486-1.tgz:  Upgraded to php-4.3.6.  This is
  compiled with c-client.a in /usr/local/lib/c-client/ to fix a problem in
  previous php packages where linking against the library in a path under
  /tmp caused an ELF rpath to this location to be built into the PHP binaries.
  A local attacker could (by placing shared libraries in this location) either
  crash PHP or cause arbitrary code to be executed as the PHP user (typically
  "nobody").  Thanks to Bryce Nichols for discovering this issue and bringing
  it to my attention.
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

Updated package for Slackware 8.1:

Updated package for Slackware 9.0:

Updated package for Slackware 9.1:

Updated package for Slackware -current:


MD5 signatures:
+-------------+

Slackware 8.1 package:
cee32e839211a37b0081615b4112b87f  php-4.3.6-i386-1.tgz

Slackware 9.0 package:
eaa0c69981f0aa8cc6b2d4ef0269481c  php-4.3.6-i386-1.tgz

Slackware 9.1 package:
007c48e42d292819b6cdc66e2e8334e0  php-4.3.6-i486-1.tgz

Slackware -current package:
07bcba5e37538f16941141c43006cec1  php-4.3.6-i486-4.tgz


Installation instructions:
+------------------------+

First, stop apache:

# apachectl stop

Next, upgrade the PHP package as root:

# upgradepkg php-4.3.6-i486-1.tgz

Finally, restart apache:

# apachectl start

Or, if you're running a secure server with mod_ssl:

# apachectl startssl


+-----+

Slackware: 2004-154-02: PHP local security issue Security Update

June 2, 2004
New PHP packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue

Summary

Here are the details from the Slackware 9.1 ChangeLog: Wed Jun 2 11:28:17 PDT 2004 patches/packages/php-4.3.6-i486-1.tgz: Upgraded to php-4.3.6. This is compiled with c-client.a in /usr/local/lib/c-client/ to fix a problem in previous php packages where linking against the library in a path under /tmp caused an ELF rpath to this location to be built into the PHP binaries. A local attacker could (by placing shared libraries in this location) either crash PHP or cause arbitrary code to be executed as the PHP user (typically "nobody"). Thanks to Bryce Nichols for discovering this issue and bringing it to my attention. (* Security fix *)

Where Find New Packages

Updated package for Slackware 8.1:
Updated package for Slackware 9.0:
Updated package for Slackware 9.1:
Updated package for Slackware -current:

MD5 Signatures

Slackware 8.1 package: cee32e839211a37b0081615b4112b87f php-4.3.6-i386-1.tgz
Slackware 9.0 package: eaa0c69981f0aa8cc6b2d4ef0269481c php-4.3.6-i386-1.tgz
Slackware 9.1 package: 007c48e42d292819b6cdc66e2e8334e0 php-4.3.6-i486-1.tgz
Slackware -current package: 07bcba5e37538f16941141c43006cec1 php-4.3.6-i486-4.tgz

Severity
[slackware-security] PHP local security issue (SSA:2004-154-02)
New PHP packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue. These fix a problem in previous Slackware php packages where linking PHP against a static library in an insecure path (under /tmp) could allow a local attacker to place shared libraries at this location causing PHP to crash, or to execute arbitrary code as the PHP user (which is by default, "nobody").
Thanks to Bryce Nichols for researching and reporting this issue.

Installation Instructions

Installation instructions: First, stop apache: # apachectl stop Next, upgrade the PHP package as root: # upgradepkg php-4.3.6-i486-1.tgz Finally, restart apache: # apachectl start Or, if you're running a secure server with mod_ssl: # apachectl startssl

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved