-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: PHP4,PHP5
Announcement ID: SUSE-SA:2006:031
Date: Wed, 14 Jun 2006 18:00:00 +0000
Affected Products: SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SUSE LINUX 9.1
SuSE Linux Enterprise Server 8
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 6
SUSE Default Package: no
Cross-References: CVE-2006-1990, CVE-2006-1991, CVE-2006-2657
CVE-2006-2906
Content of This Advisory:
1) Security Vulnerability Resolved:
multiple PHP4/5 security problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
This update fixes the following security issues in the PHP scripting
language, both version 4 and 5:
- Invalid characters in session names were not blocked.
- CVE-2006-2657: A bug in zend_hash_del() allowed attackers to prevent
unsetting of some variables
- CVE-2006-1991, CVE-2006-1990: Bugs in the substr_compare() and
wordwrap function could crash the php interpreter.
- CVE-2006-2906: A CPU consumption denial of service attack in php-gd
was fixed.
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of Apache/Apache2
after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
43caed16d11d6d744cc9ffd8395b556f
c710b5f21c59e26b3614bd9f678f3cd9
bdbdf268f1e7c28380280eb92f401543
SUSE LINUX 10.0:
ee9a036c0c3e7980a0e7d549b7cc002f
f481f326f7f54dfc3206556a9bf67205
d75c89b6b52acbef2b390cea964bd9b5
a3cd814e0fad2159a8b2792a6fd911f9
c3afcc6e4032720fe1eea12a765f61dc
6a7a52370500ae40e9326cc381c2675d
c50ba2c19f5fe867795f65bf137aea93
04435104d2b5b5b66d0b5225d285700f
4fdc57479a471ad661c4eac0e2b69026
df6a2c45dbba97b16211fbd2897de09d
35e432a21e77c68843b51b65ace9b6a0
497e4234c830dc8206bbd011dbbb8bfd
1afe872c30a7789c608146de00abf369
e8c65c894d7ea28aa09bf7e8f7f3ccd9
73f0b104e6a9e74fe2ded7e77dfecb7d
232e84253c063a8942396b8e10338682
8bb28c6c7e48b64ea24740dbffd8892f
SUSE LINUX 9.3:
821357c5187d35011ca6719a4800ad7e
262d39f817115eb7ee6e7684976fc4d0
34b0fedf7ed621c9733df67b7495331c
7a0ad94e62e8c743094f6ec40a1d9b1d
407c70d3733afd11132cbeab07c631e3
671185e5ea32d549247714b4d677fd14
96ef30c80ab27d9d7cf4adb8c27ede5f
7c98b8423f6499926f8dd0d49c7e06a6
8065b470f710f03ee254618edec63330
36e29339a0f06826813baf1fe3c0183a
1cd935f93eeb3e1e08467a8ec9da1546
068daf588e69e8e032ae9b8788660c8e
d21c0b2190b4a9eacb8d01baa2a94cc8
15be3d77516c642011e7a219b2dc9f19
233eb72898dff61aaaf96d4619a5dfe6
000b41b363221d36f461710b78b70306
92a47575b0c8de691ef41dd29b7efc6e
e263a60c24b957b1fdebe7b00d769e83
b4334f824c9f7943417b745426a63b11
b2d16811dfd728c67addb90f79b54d67
0477129977e118178cb9e0431d706990
530bda9a7f5a7ab7568a8e69f99c7868
SUSE LINUX 9.2:
f212924910ec209c3f8f0c5db3b18447
21b4f9c977f76764f02961510aa80b49
0d6fac421b1c28b6610cdec8c2525ba6
02dc039703f3f781a5861c9535203624
8175deacb02985b6a9fdbf60140c2563
c26e1826c2f5e32370f6a304dec39bd8
0ed67cbb3bceeeb61588c1d9e300fa7b
6201452c9c6b9181d0fcfb5642aa1897
39956165064be228b7ced1d8fc8b1975
67b3927a7e0bb817f62c883639df0334
36f89680156c19d5d84047ba69d6a719
SUSE LINUX 9.1:
6b7dce5b6fc404959f2bb9d2cc837f98
6598a95fa00d7b011a0d56d76cd70f0d
b3a5aa3461fa89cd35d1a20d321bb7f4
ddb3e2ddf9b9b45655ff44f1e7e9317c
73302ac6b1ae2d5120e8a7d2a05052db
5ffedeb8515eafc065c639f9470eb7d3
7c194d8b2bc3de4a96928e2c99a80a96
0bf2068e87c47cea0f81bf4f55b6dc50
4b9dd632e7d5a7d8aa0dd8a4efc8e37b
bea433cff0221243363ea0105111c86c
96dd1d3d5063be3216e7492670d00cc9
a84d8ddd7ce534c7acc7972628f2ae0c
5b646636567e96cca066695f6ce6cfe9
04c41b24b8d8c20a925f1c17d0acb281
982d7b35f8061f74bbc66ba00b25d88b
bf9af241b791dc090925c09ef135afc0
b085e91f153f26b164d5d6a342097bf1
Power PC Platform:
SUSE LINUX 10.1:
c9d486f1c9b55bfb9e810adb6abc8aab
1e23a318feeaa1f34ed00cc399ad356a
5108034703d9c2108babee92c0ae17d3
SUSE LINUX 10.0:
3938e739a478cccb4b71f6b7e43edd2c
0673e6b7978d86592a2e49571aa6a2a7
be46e319b18df7e2109d356ff4ebc20e
c1996ef13815d7fdcee7f8f5baed4bcf
92e5fabb5f4dad75be2b4a3617e97988
eee4690f118364474826d26c054bdf10
f318576b118be51d17a0e60a87e17d9f
95e643e8edc72663358494c534b62552
9cf6ee8f88a5060ac8a0f594d9e48fa6
bfa39d4d148b56ad8b7c6e44510a0c11
3adbbbf720410c1ed23dd79bea9e220d
948fc3125a641981d3f87975d6e97c54
cb0923a3313c4fd116318bf471e50778
50e68b88d43d25ec73d9aecc69f30e5b
71dfa81dfd012f548d8f025bfdfeedbd
8653bdc6fd1339ab69c36eac0ba686ac
x86-64 Platform:
SUSE LINUX 10.1:
f4dede6f601bfcee52dd3b93859870e3
ef9cee1726b8bd511855f874823ab825
ad72b93f1472ab9103f092ad899d697a
SUSE LINUX 10.0:
b9bf78047d75d193eb45e76f889e48b2
677743bbf4162fde6757a055ddf1a1c1
c55eed73f54c6f0a145342644fe44078
f9907902edf1a76b44cf3adb7a1b484d
90fcd0d1423caf1b96f79b7b16f65439
b05af431c9bb58ecb9d5e6d1871f17eb
e07adcdd81a962e259ae4b1c0d21f89d
591794e8f5690db6eb0544f75ca5aabb
b35a87bba7a2d1301806a7af10473725
b432e0e35ee0cb30672e89b324a23396
a82f50460802a1767854758d406b82cb
78f9287306f1d029a9b3d471318fafda
f6dd1443d043715c103ff0ec77bcb9b7
aaf4cdd7b69405bc2fc46d721cb208b8
8fac63d139a16a587c6a38f7ef622531
1b0a546491b54b4d73eecfee1db04a5a
b60a17edeb48d6cdc291bdb3204398ec
1030f5db7852122bc3d7a0d6432a8dc6
SUSE LINUX 9.3:
3efa464de374a316bcfc48edc0728b80
0807c3ffba97947d7f58e434d6be424a
ac4933dcb44e3a28f19ec4535e3d1f69
d5d5e1b56a7c99004bf7048bead9506f
8cddaa485f432a4e3c644e53fa31b3fd
1f5aeb49f2cb874fd213c97563c11492
f9f96ed8c0cce5ab6aef622a79d6e67b
1e3ddeafab63b93e6149df2996afc674
001446522678324806c21f2777dcce19
566299076beb81ab015e834707646fb8
2bdad5f2e29738442e49fee529862842
6219659daad37fbcbee11748f1d2b34f
67757dc0a8a9cb00ffd653ae2cf26224
bc3737aaf8c7f5b0ec4f76ac333b4f49
a1f6a145f2af57e006a2099baeb1398f
3caafddfc109b70e80acf683a155219b
eaab55971ca52912c0853d0d29ed98ec
629dc2798d1dff92a1b1f5ca1f3334a3
6947c955edc17fe914feebe48fcfae3b
f8c743c3cb7973ccbece026844cae9fb
a11dedb05754fcf1f2d4a4eff98d1070
6500afb7ff16fa52098805f0a8aee789
fef838635d36eda73402eabfab666a5c
SUSE LINUX 9.2:
a984fab6423ee37c7d479180b670d635
b3f236a5f51d6916ebce5306e9cf8dc9
8899d8b26da5381a69e928b07f7af3e1
b41e5526228b3a47a8d33ccc4bfd8593
2e0b5cd33d5a401b85757a9185240f39
9b35b4fcb6ba77ffcd05a662d4ce5318
6886ac119c43e6cd535974bdf2f30698
b5f4c3eeb0f1a167e3dbc030b9c1edd3
c4c258802dbecfac5106064561d24255
67b7965d8b9624e8243b6f46de8411d3
11b2e0a23639145772a3c359abb52e59
e2cd105c941877d49e28277705a7039e
SUSE LINUX 9.1:
6881897376e783520b891056e35ec534
30947f905b21c7ef536478d64fee5bfd
bb4d633dcc7dcb10ef1a3bcfcdc84797
8e4b3fea82c3cbb106377b87f1fee6c9
04e5fa26ac5e8fc63314aacad1d6b249
5f2a74b4adb0c839562e02b42bf4f05c
3fdad764d7b36a3b5b7870e18c984e9e
68d576893b580efc27be7a634bb42568
2838bcfd8f223d81c471e3405da00c33
573fad1c28b3e8554f2cb4e0861dc057
869974b14a9a22e79bbc73f6a7af6a55
6ba59734b7107a021a68bcd315db1bf2
77421b8c21f635fbc78f64168961b62c
b32cbd1db68a50f843fbdf0cbabefa68
00376ad2619727f8d7feef6f5d8d3e26
1acf46b9184a55159ac1e38bb26d43ff
e017ba71e1269460e5124ba46cd34bac
Sources:
SUSE LINUX 10.1:
98d8846387e3b252a7af710388460128
SUSE LINUX 10.0:
507d65d8ee0d358ee43fcf793c0d7955
9adf218a1b0d39b06350a57a0f627a55
SUSE LINUX 9.3:
42587bbd02008e856204797ba2d3e312
ba707c9762597086350062dcce3d8d99
SUSE LINUX 9.2:
f8ee786af575e1bd2dcf4f243a471623
SUSE LINUX 9.1:
d1c7f23f762099bcabacb3b9a1425ab6
bc7a12efeaf4cc118a857914e3a09910
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE CORE 9 for Itanium Processor Family
SUSE SLES 9
UnitedLinux 1.0
SuSE Linux Enterprise Server 8
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
For general information or the frequently asked questions (FAQ),
send mail to or
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================
