SuSE: 2005-023: php remote denial of service Security Update
Summary
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: php4, php5
Announcement-ID: SUSE-SA:2005:023
Date: Fri, 15 Apr 2005 12:00:00 +0000
Affected products: 8.2, 9.0, 9.1, 9.2, 9.3
SUSE Linux Enterprise Server 8, 9
Vulnerability Type: remote denial of service
Severity (1-10): 5
SUSE default package: no
Cross References: CAN-2005-0524
CAN-2005-0525
Content of this advisory:
1) security vulnerability resolved:
php4 / php5 denial of service attack
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
none
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
This update fixes the following security issues in the PHP scripting
language:
- A bug in getimagesize() EXIF handling which could lead to a denial of
service attack.
This is tracked by the Mitre CVE IDs CAN-2005-0524 and CAN-2005-0525.
Additionally this non-security bug was fixed:
- Performance problems of unserialize() caused by previous security
fix to unserialize were fixed.
All SUSE Linux based distributions shipping php4 and php5 were affected.
2) solution/workaround
Please install the upgraded packages.
3) special instructions and notes
Please make sure you restart the web server after this update.
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.3:
092b41e835df38140ce84a57a8a19291
859c59423121af7fc782187b67ac9eb2
998bb2eee2ccb49db4889f9064520212
8e5903503b80b7235e253d9b8b59904f
b6e4b7080e54cb4ca2b970817d7a7202
5f14cca638d59b161c3db68cc378c237
726545e66501ea788cb278804071bfe3
c201b0e680713340312baef2b8629252
356d41447026e2c29658b4be3ba18b95
63b4c9099189788fc6c6fee76d4b0d6f
5b5d43fc648f6d54a36dbd475c075e0d
f64d969e257eebc6756b018fd2609638
7e70d9b50cb54250c26953ada098a381
05fad72084e61a4df8a3acd1ff08f798
SUSE Linux 9.2:
30fc3c59fab61fa89944dec7db94d26e
ba2c67dd1c709dff17168eaebd8e145f
6d4a22a613dc64a3699d27ce09f9f255
fdbd8f94484d41142f51af35b18b8b97
78a39683a5496885464c8a7bb5ebdd82
70a081d38fa56e51c4e357dd0a7c3a73
ae7974ce3c6e62fea4687a13eefa1f43
a9d235e734d2ac2e876048173900e392
SUSE Linux 9.1:
b7aead2cb147c681e0efb34cb0012d56
bf8e4ccdcc94b8ff6aa9e50738d5652e
cbeec3026b9274969a61421ec0b5d15f
65b3a8046f7622973b7a7d0b8a388a9a
dc7b8514735b01887158b9666cb09cc1
7872f4539151e9055a0c3a05bcc53340
e6c0896439221b47ac95bd5b81347030
879bb81a1e99f0f1abc9f9297ef78afb
7640c6d169b4ee0bb7beace768ebd3bf
091a8ca814be21d0dca4473214151ab4
f836d57b333b0854f77831f947a29939
d0ce400b95af15df2c2ff93cefc27f6f
153fe65a00f9c83ed6e3e9d8ac58bcd7
source rpm(s):
6cd11704fb5dcba94fef2efe304ce6ae
SUSE Linux 9.0:
8e9e46631279dfec913dbccc3507a04d
4b817d14ea8cfa471d2b7da231bc9c04
01cde19877d4cdb7241183c29d799a40
2f3b9eaea64686556524d4b6a3712b44
9ffcd67d307dac6d4d2b35c8f2e19269
f381038385a6634a0191daa3da1d8ea8
source rpm(s):
ba28af987d39a5eb456574fc0fb95828
SUSE Linux 8.2:
e2afaa2f21bfd29e5689fb66e87bc7c4
7056ee242089ad9889c9109d7ba58bfa
8af8e5ba3e8a69737b695f3df2886c43
cc17c23d79a92b7d73db7015343fec6f
792e5ca40d4b7416e50a7c5d8305cc76
source rpm(s):
33395ed1d8a162e7bca09fc93ef6ed68
x86-64 Platform:
SUSE Linux 9.3:
121aad084e9f90b7e8d29c373b02244b
9d4dd7ba5c8d91d1457d665bcf0aebbb
878e379e96e2c372963df3da299a15eb
e00307757dcad75e470ba669a703028f
06a496f60998c7201cf185ee474cd43d
0635a305efff157be56155c721db1cff
281d0cc5a831edfd3c50a678f0fa74ac
edbcb8ca2bab9aa26c799e86526386d9
72d4e5c520f32be6719efd1a744fad3e
c7a90df0de9500399421a565c2828d9c
8cdb9d138bb757dff6906e5bd44eda68
06152a5ab1352458a8a339813df012b0
fbb8306bf72ee918ec6b7a5804f52857
source rpm(s):
2623d3f94ea8e6bd801249f7b79c0e09
9026dde16cdf291cfae85d8a8e5b266b
SUSE Linux 9.2:
74e80d4996883b92ae30b1aea5a24d3d
b7e113e58096dee64975ad09075b058e
dc2697c70c101c3c16133e45aad4eb05
0904155bbb6b3bf8a275bd7a7780c356
472e3a708e7f6f1774dce421d1c06067
4f1402d04098100f10a7910685b17d45
ae473a3e1e8177d711a98d7f85a43db1
source rpm(s):
be3087c034218ea830c64dfcfc20fd5d
SUSE Linux 9.1:
8aedd4ae5089b6ad1628a46e962e10c5
bd38471abb2b27c6e0f104a05ae3dec5
6db8f9c47c5c3df1acfeb874b87b87af
83acb944933f86d8752eb1c0b79d51fd
eb10c12b4dda00a723fd2481cb0d9431
6f0f093744f78d3a01f22ee750ee41b9
be1d5285711535911577202e61eea27f
0e7c2f8ee85bac2b33d0669004c93781
e614abf4e2de40ce21bd05a6c0e7b4da
e769eeaa2674e0090abfd8e97f4a6cb7
eb9953ae01fbdaae89b1010d8bb89fbd
0a5fd6e2d6caa31edd14e7bb87d45a90
6507908da0b26e98739bc21d3af623fe
source rpm(s):
2ce604b9c1f50575bae7fdcf1736e40a
SUSE Linux 9.0:
adb3475c4da5623ae3a83e82f0369340
082261652c7fa03cd2dda0101c03e2a7
c4cd316278e841f0a9ea8c3448fe0c63
427d132d1682e628abf972d353e30113
5a5e7041c2d74a6736cc07a095764b4b
76cf3f75df2341b03c58b7ddaeb4bad4
source rpm(s):
b9b4f1b5fa5edac29c606ca3b03c041c
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
none
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
References