-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SUSE Security Announcement

        Package:                php4/mod_php4
        Announcement-ID:        SUSE-SA:2004:021
        Date:                   Friday, Jul 16th 2004 13:00:00 MEST
        Affected products:      8.0, 8.1, 8.2, 9.0, 9.1,
                                SuSE Linux Enterprise Server 8,
                                SuSE Linux Office Server,
                                UnitedLinux 1.0
        Vulnerability Type:     remote code execution
        Severity (1-10):        7
        SUSE default package:   No.
        Cross References:       CAN-2004-0594
                                CAN-2004-0595
                                
    Content of this advisory:
        1) security vulnerability resolved: memory_limit problem,
            strip_tags() bypassing problem
           problem description, discussion, solution and upgrade information
        2) pending vulnerabilities, solutions, workarounds:
            - sitecopy
            - cadaver
            - freeswan
            - ipsec-tools
            - apache2
            - dhcp/dhcp-server
        3) standard appendix (further information)

______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

    PHP is a well known, widely-used scripting language often used within
    web server setups.
    Stefan Esser found a problem with the "memory_limit" handling of PHP which
    allows remote attackers to execute arbitrary code as the user running
    the PHP interpreter. This problem has been fixed. Additionally a
    problem within the "strip_tags" function has been found and fixed which
    allowed remote attackers to inject arbitrary tags into certain web
    browsers, issuing XSS related attacks.
      Since there is no easy workaround except disabling PHP, we recommend
    an update for users running the PHP interpreter within the apache
    web server.

    To be sure the update takes effect you have to restart the apache process
    by executing the following command as root:
 
         /usr/sbin/rcapache restart

    or if you use the apache2 package

         /usr/sbin/rcapache2 restart

    Please download the update package for your distribution and verify its
    integrity by the methods listed in section 3) of this announcement.
    Then, install the package using the command "rpm -Fhv file.rpm" to apply
    the update.
    Our maintenance customers are being notified individually. The packages
    are being offered to install from the maintenance web.


    x86 Platform:

    SUSE Linux 9.1:
          efdc7667b7f5d9ee3ef4af428ec7d9ec
          8cb2d1a863694ced982bfd7a38481c0a
          7e7435b1ba7bbb4412478360ef5c9572
          342aeccff4de94fa41e591dc28b4995e
          e3d5f8e5612bee3b6ba008404f90fb55
          4f2520897321dcc99c3ba5adb9153ff6
    patch rpm(s):
          dad5281b43fe630aa3db43580afaf76a
          41c7f677bb593066322f1790766039fd
          93c1ed2eec77c6e56d3adffa1491dd82
          7d428eaf1463cac357c0cdcaca9d50d2
          072871a11fac7bff0f9c5598248fd2ba
          f53d6ff178db5b81d43dfb2a36cf391f
    source rpm(s):
          f83b6501a1f8630e24be36921b5fce49

    SUSE Linux 9.0:
          e50812ce7fb1fb3113d3cae78a85ad5e
          cdd59314c94b883d2bd5a537b3f43b7b
          bda2735824a4ee3cd4cfe9372751939c
    patch rpm(s):
          c3dba68761eefe25a772598cf018fb7e
          62e775ec9ffea0d6d2f85e225ed63b38
          e2513d45b0b22731a05dfde7e3b0448c
    source rpm(s):
          fc2b7442cc450384b2b856831d267385

    SUSE Linux 8.2:
          8be50387c34e6248318ed53e36e2512f
          a3c14b203e93bf64a68e8430a3fb4d86
    patch rpm(s):
          5a8fe03a1a64f41b959562702b1a8f83
          21e0eea787c4da34e03f329bc568ab6d
    source rpm(s):
          8e3e2270a3efe3f315099d265f8324de

    SUSE Linux 8.1:
          0ec06130362ed94e55e6bb79a2844a37
          a4d2a49e1f137155578f3f2bde1b5fa2
          9142fa285d3710e35c4a3d135b455535
    patch rpm(s):
          1f868989e0920f6aabc665e75c4260f6
          2b091542a122162c83b23fb2f13331ff
          d3f9ef5b71017c34e3d17ee1a628b43c
    source rpm(s):
          08bc2803338c266c725191c3e0eeba97

    SUSE Linux 8.0:
          fdcc67031dd330a79993fe65d7764321
          73376bc40edef9df878de4bd62eedfa5
          7e33a1da4f9a5500cfe6abee51db3ee3
    patch rpm(s):
          5fca682f3c7f409cac2a059ec7e1bfdb
          030d6c2af596bd6afb9c7aea694450bb
          caf932e5dfb4951758f41098b80c1ff5
    source rpm(s):
          126bed26b2d74293a00ecb2699efcd8a


    x86-64 Platform:

    SUSE Linux 9.1:
          90daa6052475e07b8f76f58a86aa6315
          7abfa94cdc7870d68e938a5c8c995be2
          6a1c8f7b8a3f866e31ed8d5b601975e7
          5fa4df5b6f620132cc878f5a48511af7
          151365c7b03323c0b5b68803d94a3b62
          63a73e34fcb6d6ea0deb1edfb6c0b23b
    patch rpm(s):
          497481846ba5a990cb28edc69b5a4222
          8bc486a4a22ba827213c8a199b33e40c
          fbdea242ea256a6178168ac4d3513d9b
          5d082d666c53aa76e443878322a5ef9a
          6775fc0b073ec7cf20ce7a7b18113846
          ada500d6680eaabd6660abd490e90936
    source rpm(s):
          edb55d94ded7ecf53c8eecf1f4295a4c

    SUSE Linux 9.0:
          9ed20898e90b820937476df2f03fb7d5
          dbdb9c40d98990cfb388e208e41db175
          16540dcb5bb480448cd0afd8d494f40d
    patch rpm(s):
          465038b0c123f5d3240672c11bdc996a
          efe5ff6682739a555bf608edc3f7ed92
          c7a6e0b12f6064c5ac2590e631325421
    source rpm(s):
          1ce2db40eea8d9b5e43129bc6d66df95


______________________________________________________________________________

2)  Pending vulnerabilities in SUSE Distributions and Workarounds:

    - sitecopy
    The sitecopy package includes a vulnerable version of the
    neon library (CAN-2004-0179, CAN-2004-0398).
    New packages are available on our ftp servers.

    - cadaver
    The cadaver package includes a vulnerable version of the
    neon library (CAN-2004-0179, CAN-2004-0398).
    New packages will soon be available on our ftp servers.

    - freeswan
    A bug in the certificate chain authentication code could allow an
    attacker to authenticate any host against a FreeS/WAN server by
    presenting specially crafted certificates wrapped in a PKCS#7 file.
    New packages are available on our ftp servers.

    - ipsec-tools
    The racoon daemon which is responsible for handling IKE messages
    fails to reject invalid or self-signed X.509 certificates which
    allows for man-in-the-middle attacks on IPsec tunnels established
    via racoon.
    New packages are available on our ftp servers.

    - apache2
    A remote Denial of Service condition (CAN-2004-0493) has been fixed
    in Apache2. New packages are available on our ftp servers.

    - dhcp/dhcp-server
    A remotely exploitable buffer overflow has been fixed in the dhcp
    and dhcp-server packages. CERT has assigned VU#654390 to this issue.
    New packages are available on our ftp servers.
    
______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SUSE update packages are available on many mirror ftp servers all over
    the world. While this service is being considered valuable and important
    to the free and open source software community, many users wish to be
    sure about the origin of the package and its content before installing
    the package. There are two verification methods that can be used
    independently from each other to prove the authenticity of a downloaded
    file or rpm package:
    1) md5sums as provided in the (cryptographically signed) announcement.
    2) using the internal gpg signatures of the rpm package.

    1) execute the command
        md5sum 
       after you downloaded the file from a SUSE ftp server or its mirrors.
       Then, compare the resulting md5sum with the one that is listed in the
       announcement. Since the announcement containing the checksums is
       cryptographically signed (usually using the key security@suse.de),
       the checksums show proof of the authenticity of the package.
       We disrecommend to subscribe to security lists which cause the
       email message containing the announcement to be modified so that
       the signature does not match after transport through the mailing
       list software.
       Downsides: You must be able to verify the authenticity of the
       announcement in the first place. If RPM packages are being rebuilt
       and a new version of a package is published on the ftp server, all
       md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
       of an rpm package. Use the command
        rpm -v --checksig 
       to verify the signature of the package, where  is the
       filename of the rpm package that you have downloaded. Of course, 
       package authenticity verification can only target an un-installed rpm
       package file.
       Prerequisites:
        a) gpg is installed
        b) The package is signed using a certain key. The public part of this
           key must be installed by the gpg program in the directory 
           ~/.gnupg/ under the user's home directory who performs the
           signature verification (usually root). You can import the key
           that is used by SUSE in rpm packages for SUSE Linux by saving
           this announcement to a file ("announcement.txt") and
           running the command (do "su -" to be root):
            gpg --batch; gpg < announcement.txt | gpg --import
           SUSE Linux distributions version 7.1 and thereafter install the
           key "build@suse.de" upon installation or upgrade, provided that
           the package gpg is installed. The file containing the public key
           is placed at the top-level directory of the first CD (pubring.gpg)
           and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   general/linux/SUSE security discussion. 
            All SUSE security announcements are sent to this list.
            To subscribe, send an email to 
                .

    suse-security-announce@suse.com
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an email to
                .

    For general information or the frequently asked questions (faq) 
    send mail to:
         or
         respectively.

    ====================================================================    SUSE's security contact is  or .
    The  public key is listed below.
    ====================================================================