-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SUSE Security Announcement

        Package:                php4
        Announcement ID:        SUSE-SA:2006:034
        Date:                   Thu, 22 Jun 2006 14:00:00 +0000
        Affected Products:      SUSE LINUX 10.0
                                SUSE LINUX 9.3
                                SUSE LINUX 9.2
                                SUSE LINUX 9.1
                                SuSE Linux Enterprise Server 8
                                SUSE SLES 9
                                UnitedLinux 1.0
        Vulnerability Type:     bug fix
        Severity (1-10):        0
        SUSE Default Package:   no
        Cross-References:       CVE-2006-2657

    Content of This Advisory:
        1) Security Vulnerability Resolved:
             bugfix update for previous PHP 4 release
           Problem Description
        2) Solution or Work-Around
        3) Special Instructions and Notes
        4) Package Location and Checksums
        5) Pending Vulnerabilities, Solutions, and Work-Arounds:
            See SUSE Security Summary Report.
        6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

   In SUSE-SA:2006:031 we announced bugfixes for PHP4.

   Unfortunately the patches to fix CVE-2006-2657 contained a bug
   which made arrays work unreliable or not all and so broke several
   PHP applications.

   We have released fixed packages for this problem, as listed below.

   Only PHP4 was affected, the PHP5 updates do not contain this problem.

2) Solution or Work-Around

   There is no known workaround, please install the update packages.

3) Special Instructions and Notes

   Please close and restart all running instances of apache and/or
   apache2 after the update.

4) Package Location and Checksums

   The preferred method for installing security updates is to use the YaST
   Online Update (YOU) tool. YOU detects which updates are required and
   automatically performs the necessary steps to verify and install them.
   Alternatively, download the update packages for your distribution manually
   and verify their integrity by the methods listed in Section 6 of this
   announcement. Then install the packages using the command

     rpm -Fhv 

   to apply the update, replacing  with the filename of the
   downloaded RPM package.


   x86 Platform:

   SUSE LINUX 10.0:
             68b04b2efbea6b19dc795ae5cd99e5a2
             4a560750c14b6941d22ad59961f4ba53
             08ddd002efc044415257b1598c00ff7c
             22dbc5373d389e29dede7989bfae1fbd
             f0591b69b2997552c7c6ebc69e2ea626
             3b6546de3ae1a8d1c7b105323cee19c2
             4dc4650c61dd0127d67fa735ccc14c0b
             dc2e140fb600b7b02498fab0717f2afa

   SUSE LINUX 9.3:
             6c26bb11835f27035f1f1987dae32c3e
             56b81821f4c6efcfce3cfee712c829ff
             f89e007d5b05dd5d24312edfd5256e82
             32a4784f5df6bbbd27f5f179600b379b
             571207c1432a33a28dd90958538bca1f
             cf7c0649419b8492c3f09aeef1b3941a
             505eab04c381d7f5ab479b276fe4aca7
             8738a92c30421636cab3ca00d796b05c
             9deaf549ef63a4d3313ca6953915b9fc
             56340826fc1e4be798c78c2c5752cf34
             8cf3dbcc97638fb38b92a3e5d213d67d

   SUSE LINUX 9.2:
             187ce3402645353d214c2b3a0cd1f9ed
             1b0e6a47ad9a463e656130a943d42387
             659424773f5dd2f49e7eb4de3321b67a
             e1990370e6f794b212701aa96cab248f
             6e018a422474a3e94937230549d6c9f6
             ce308f4fd305f1d426a0e77196b40ed2
             62d1e99398fe2564d9b1e6d891e289f9
             2d89c210f1f69cc379b561c47f71723a
             f9134199842dd3ec2549accee184e1e6
             8335d15b6b282fccce7c602692d5c190
             2a3c67e33f12256fee0aab9d7203e8fb

   SUSE LINUX 9.1:
             a39b9471efb52224a5822aafbd9aae05
             7575d11737d891adcf454c7319006976
             6ce7cf156885adc543ecbade468b7885
             e427a7b430327577facc994a061657f2
             5624c13f07417578785053c13e9159c7
             045bee7e27e3523e95fd0037292d0fb3
             1023c2db204dfa98360580581515af20
             d7baf7c1b3856bea32e3084a3d1ec3c3
             b0ddc9522bb3e56aa77c6b298aee0e96
             c818d87c8324c929254bec4ef4ef1553
             1d4126b943f6d412d382ea5a36754ec0
             b559fd1c85fc6be0611afd23c1dd6f18
             a1c3499ebff3c3493f49977abd82d8ef
             ea2c506fa449c18090d8d81c5fda1da7
             934fcd686006ba5e3cdef9f0763abca4
             ada042141532ceb503499022bd343200
             40c4eded2b858de9a596fdc6d9e21a42

   Power PC Platform:

   SUSE LINUX 10.0:
             a140b3feb66d4aaeaef41b2399e0a788
             91d0a696e9bb5bd9193d7963fc2c06b8
             3b444d35b210ab2463332092aff75a49
             10810749229a4cee68d94cf039126c24
             6e40b40f62337e8ccc6ebe8da992486a
             228fcf57bcbf6fe631d2996c92df34d3
             f2adf27d69a3ef54e5d3da39da46903d

   x86-64 Platform:

   SUSE LINUX 10.0:
             bb1df56dd702ce6af3c55bdb89866d3b
             16a0307d33c644711f8073a246c2f6ef
             671bbcd235e2322ddf5d247969be05e5
             7c6f4fd05ebb4e92f57f63d8ddfd93db
             67e2a98d581f8ccccb680fc4d0bb776d
             1d849d989158068f478d5c7027e6686a
             5ae332bccfee664c040a9f30186b8852
             90ef9cbfaa8a837543b0b08f8b32377f
             0657f62fc9bbcd0ebe5679ab62168a2d

   SUSE LINUX 9.3:
             187682919d052dab78c2fa25da5ca285
             689e899498be1dcf1a671ceb533d6a32
             ea830e8cfea0cded96b8edcf809525ba
             6a48c70dad81fb5712ea35c4aef2075e
             9f6b614c5095376a28c3f288e8a5f50b
             47cb30945e8fc5c3798b5983fb7cb94c
             694aadb8908ef9d8d138e54bc6d42b24
             afb9584831f5a6f8322d00f2282703aa
             3e7b8b67f49b1f0c476af84c0dbd5694
             f8efb254ef885a3a2d04252e902f4f33
             52a54d535a5185533ddb2a29d0e7cb08
             1461201a76c5b430e71c56d6b2fa4777

   SUSE LINUX 9.2:
             518fdd320cfb21b2dc08f9c55b16d6ba
             da409dc041243c8b12b5fbd149f190da
             eefc10a16242a3ba2b0c713007b96f1b
             45d1776a156304c009a4c4f8ae6c15aa
             9f4d1dbc5d73964c32bb3dd0ab419eec
             81710c6db8fb97c4bf97b13ac9e185fc
             c312c20ddd6af00a5fd00f2bd2cedabc
             55ef3a2542547f5f167c56a41f320d52
             8bb0ea1ccd830011cb04bac05fc5061e
             20971cc05c837d423d35f7584a71617c
             e9c3a24289b1d00133fc23082f65d02e
             4949447f09a8ebd00dd21df9a34b68b9

   SUSE LINUX 9.1:
             b966b6665a32c1b437152b6a2468a1ab
             c9d3000f4ff9d70fd53a01afa1ea6528
             87a554fcce1cb600c81815203b718502
             07d7a77a3504b4748b22f228c07bf6ef
             968d6a01832ede73530c0f1dd356e276
             ef6441a0ea53d002431cc39a630c62ce
             e0de13330b9c81dbfea13d4e20762e4c
             0b46e1136f22d99e911087f627420a80
             0ff2aeb36eeccb96fa5b81c58331d7db
             d175e8217d17a9faa779a61eaafbb1b5
             6e0b1814909753e432856e36c257130f
             f28fd61c54d6d55895c0228f96341098
             538fcc0e2f64235f1564c03fe5dcf1d0
             38e483e109067fc0fed78ec172bc4823
             286d218356729415ccbff4ab3a3034ad
             c4e11b7dc6ca5aa190071effe867ac25
             9ea11b3924f67cbb3b929da72d6cd396

   Sources:

   SUSE LINUX 10.0:
             b22894e000afd9eec90ea7481ccf737e

   SUSE LINUX 9.3:
             b00346afb847c32b00e66ad24887b5a8

   SUSE LINUX 9.2:
             b122c554e82537bafdd7ed721c220fe6

   SUSE LINUX 9.1:
             82ee0ce0dd5d1704c3e64abfd8747582
             dcf6c840cf7f236db987d2f91d6f65d6

   Our maintenance customers are notified individually. The packages are
   offered for installation from the maintenance web:

   SUSE CORE 9 for Itanium Processor Family
     
   SUSE SLES 9
     
   UnitedLinux 1.0
     
   SuSE Linux Enterprise Server 8
     
______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

   See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

  - Announcement authenticity verification:

    SUSE security announcements are published via mailing lists and on Web
    sites. The authenticity and integrity of a SUSE security announcement is
    guaranteed by a cryptographic signature in each announcement. All SUSE
    security announcements are published with a valid signature.

    To verify the signature of the announcement, save it as text into a file
    and run the command

      gpg --verify 

    replacing  with the name of the file where you saved the
    announcement. The output for a valid signature looks like:

      gpg: Signature made  using RSA key ID 3D25D3D9
      gpg: Good signature from "SuSE Security Team "

    where  is replaced by the date the document was signed.

    If the security team's key is not contained in your key ring, you can
    import it from the first installation CD. To import the key, use the
    command

      gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

  - Package authenticity verification:

    SUSE update packages are available on many mirror FTP servers all over the
    world. While this service is considered valuable and important to the free
    and open source software community, the authenticity and the integrity of
    a package needs to be verified to ensure that it has not been tampered
    with.

    There are two verification methods that can be used independently from
    each other to prove the authenticity of a downloaded file or RPM package:

    1) Using the internal gpg signatures of the rpm package
    2) MD5 checksums as provided in this announcement

    1) The internal rpm package signatures provide an easy way to verify the
       authenticity of an RPM package. Use the command

        rpm -v --checksig 

       to verify the signature of the package, replacing  with the
       filename of the RPM package downloaded. The package is unmodified if it
       contains a valid signature from build@suse.de with the key ID 9C800ACA.

       This key is automatically imported into the RPM database (on
       RPMv4-based distributions) and the gpg key ring of 'root' during
       installation. You can also find it on the first installation CD and at
       the end of this announcement.

    2) If you need an alternative means of verification, use the md5sum
       command to verify the authenticity of the packages. Execute the command

         md5sum 

       after you downloaded the file from a SUSE FTP server or its mirrors.
       Then compare the resulting md5sum with the one that is listed in the
       SUSE security announcement. Because the announcement containing the
       checksums is cryptographically signed (by security@suse.de), the
       checksums show proof of the authenticity of the package if the
       signature of the announcement is valid. Note that the md5 sums
       published in the SUSE Security Announcements are valid for the
       respective packages only. Newer versions of these packages cannot be
       verified.

  - SUSE runs two security mailing lists to which any interested party may
    subscribe:

    suse-security@suse.com
        -   General Linux and SUSE security discussion.
            All SUSE security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    suse-security-announce@suse.com
        -   SUSE's announce-only mailing list.
            Only SUSE's security announcements are sent to this list.
            To subscribe, send an e-mail to
                .

    For general information or the frequently asked questions (FAQ),
    send mail to  or
    .

    ====================================================================    SUSE's security contact is  or .
    The  public key is listed below.
    ====================================================================