Fedora Legacy Test Update Notification: php

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2006-175040
Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175040
2006-07-05
---------------------------------------------------------------------

Name        : php
Versions    : rh73: php-4.1.2-7.3.20.legacy
Versions    : rh9: php-4.2.2-17.21.legacy
Versions    : fc1: php-4.3.11-1.fc1.6.legacy
Versions    : fc2: php-4.3.11-1.fc2.7.legacy
Versions    : fc3: php-4.3.11-2.8.4.legacy
Summary     : The PHP HTML-embedded scripting language.
Description :
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated webpages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts. The
mod_php module enables the Apache Web server to understand and process
the embedded PHP language in Web pages.

---------------------------------------------------------------------
Update Information:

Updated PHP packages that fix multiple security issues are now
available.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

A buffer overflow flaw was discovered in uw-imap, the University of
Washington's IMAP Server. php-imap is compiled against the static
c-client libraries from imap and therefore needed to be recompiled
against the fixed version. (CVE-2005-2933).

An input validation error was found in the "mb_send_mail()" function. An
attacker could use this flaw to inject arbitrary headers in a mail sent
via a script calling the "mb_send_mail()" function where the "To"
parameter can be controlled by the attacker. (CVE-2005-3883)

The error handling output was found to not properly escape HTML output
in certain cases. An attacker could use this flaw to perform cross-site
scripting attacks against sites where both display_errors and
html_errors are enabled. (CVE-2006-0208)

The phpinfo() PHP function did not properly sanitize long strings. An
attacker could use this to perform cross-site scripting attacks against
sites that have publicly-available PHP scripts that call phpinfo().
(CVE-2006-0996)

The html_entity_decode() PHP function was found to not be binary safe.
An attacker could use this flaw to disclose a certain part of the
memory. In order for this issue to be exploitable the target site would
need to have a PHP script which called the "html_entity_decode()"
function with untrusted input from the user and displayed the result.
(CVE-2006-1490)

The wordwrap() PHP function did not properly check for integer overflow
in the handling of the "break" parameter. An attacker who could control
the string passed to the "break" parameter could cause a heap overflow.
(CVE-2006-1990)

Users of PHP should upgrade to these updated packages, which contain
backported patches that resolve these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Thu Jun 15 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.1.2-7.3.20.legacy
- replaced CVE-2006-0996 and CVE-2006-0208 patches with the ones from RHEL21
- prevent integer overflow in wordwrap (CVE-2006-1990)

* Sat Apr 29 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.1.2-7.3.19.legacy
- add fix for imap DoS (#175040)
- add security fix for new phpinfo XSS (CVE-2006-0996)
- add security fix for XSS issues in "html_errors" mode (CVE-2006-0208)
- add security fix for mbstring header validation (CVE-2005-3383)

rh9:
* Sat Jun 24 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.2.2-17.21.legacy
- replaced CVE-2006-0208 patch with the one from RHEL21
- prevent integer overflow in wordwrap (CVE-2006-1990)

* Sat Apr 29 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.2.2-17.20.legacy
- removed TSRMLS_CC from CVE-2006-0996 patch

* Sat Apr 29 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.2.2-17.19.legacy
- add fix for imap DoS (#175040)

* Fri Apr 28 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.2.2-17.18.legacy
- add security fix for new phpinfo XSS (CVE-2006-0996)
- add security fix for XSS issues in "html_errors" mode (CVE-2006-0208)
- add security fix for mbstring header validation (CVE-2005-3383)

fc1:
* Wed Jun 14 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-1.fc1.6.legacy
- prevent integer overflow in wordwrap (CVE-2006-1990)

* Sun Apr 30 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-1.fc1.5.legacy
- remove TSRMLS_CC from CVE-2006-0996 patch

* Thu Apr 27 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-1.fc1.4.legacy
- add security fix for new phpinfo XSS (CVE-2006-0996)
- add binary safeness fix for php_unescape_html_entities (CVE-2006-1490)
- add security fix for XSS issues in "html_errors" mode (CVE-2006-0208)
- add security fix for mbstring header validation (CVE-2005-3383)

fc2:
* Tue Jun 13 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-1.fc2.7.legacy
- prevent integer overflow in wordwrap (CVE-2006-1990)

* Sun Apr 30 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-1.fc2.6.legacy
- removed TSRMLS_CC from CVE-2006-0996 patch

* Wed Apr 26 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-1.fc2.5.legacy
- add security fix for new phpinfo XSS (CVE-2006-0996)
- add binary safeness fix for php_unescape_html_entities (CVE-2006-1490)
- add security fix for XSS issues in "html_errors" mode (CVE-2006-0208)
- add security fix for mbstring header validation (CVE-2005-3383)

fc3:
* Tue Jul 04 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-2.8.4.legacy
- added sendmail, w3c-libwww-devel, flex and gnupg to BuildRequires

* Wed Jun 14 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-2.8.3.legacy
- prevent integer overflow in wordwrap (CVE-2006-1990)

* Sun Apr 30 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-2.8.2.legacy
- removed TSRMLS_CC from CVE-2006-0996 patch

* Wed Apr 26 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx>
4.3.11-2.8.1.legacy
- add security fix for new phpinfo XSS (CVE-2006-0996)
- add binary safeness fix for php_unescape_html_entities (CVE-2006-1490)
- add security fix for XSS issues in "html_errors" mode (CVE-2006-0208)
- add security fix for mbstring header validation (CVE-2005-3383)

---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/
(sha1sums)

rh73:
716216fdf1ddc42bb8d210d1e121ba8d0e7f4d7c
redhat/7.3/updates-testing/i386/php-4.1.2-7.3.20.legacy.i386.rpm
61612a0c2e6244ccfb4e35ea04865d48f75f7c48
redhat/7.3/updates-testing/i386/php-devel-4.1.2-7.3.20.legacy.i386.rpm
d29efdfdd669875715c0956fedc59b99ef7681f3
redhat/7.3/updates-testing/i386/php-imap-4.1.2-7.3.20.legacy.i386.rpm
1e09ae807ccf160ef9011818d4dda590bab224d7
redhat/7.3/updates-testing/i386/php-ldap-4.1.2-7.3.20.legacy.i386.rpm
0dfa25adffe75db47fbf2a366eb456d8fcfca918
redhat/7.3/updates-testing/i386/php-manual-4.1.2-7.3.20.legacy.i386.rpm
9141e782d32739b5bc2a9b611d7cdc352e523c26
redhat/7.3/updates-testing/i386/php-mysql-4.1.2-7.3.20.legacy.i386.rpm
f1e88cf8e7f644f81473efc561f4df502ef7bc24
redhat/7.3/updates-testing/i386/php-odbc-4.1.2-7.3.20.legacy.i386.rpm
dd58b7187e116874558c5567b8c6897d1d1d4154
redhat/7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.20.legacy.i386.rpm
0575467b89a44d1e5b0bebc00fac018666a8b827
redhat/7.3/updates-testing/i386/php-snmp-4.1.2-7.3.20.legacy.i386.rpm
8541c7eefbf6162eeca5f12f834ccf3af8fee85b
redhat/7.3/updates-testing/SRPMS/php-4.1.2-7.3.20.legacy.src.rpm

rh9:
1cd4a11bf52c1b18dce2937a7f15789b059c1967
redhat/9/updates-testing/i386/php-4.2.2-17.21.legacy.i386.rpm
109a96dc0633b661e6789d9b41a3cf298e140401
redhat/9/updates-testing/i386/php-devel-4.2.2-17.21.legacy.i386.rpm
f5df6f259745f0050c15a50b75e2114381c07fb1
redhat/9/updates-testing/i386/php-imap-4.2.2-17.21.legacy.i386.rpm
8223f6cc4e84478523cd8560bdc9b75d90c33a14
redhat/9/updates-testing/i386/php-ldap-4.2.2-17.21.legacy.i386.rpm
18ac761d897ba89e94086facdb7b529e7d60c0e2
redhat/9/updates-testing/i386/php-manual-4.2.2-17.21.legacy.i386.rpm
714057b386abaa03573d14c8757ef97858ba2b17
redhat/9/updates-testing/i386/php-mysql-4.2.2-17.21.legacy.i386.rpm
c2002f4f520ea2f7dbe11402ad460a181c44175a
redhat/9/updates-testing/i386/php-odbc-4.2.2-17.21.legacy.i386.rpm
26a858731e032c0622003c8d9398a6b5ead86b24
redhat/9/updates-testing/i386/php-pgsql-4.2.2-17.21.legacy.i386.rpm
258887bd3e690dad1b88dfcbc280a8523fa52338
redhat/9/updates-testing/i386/php-snmp-4.2.2-17.21.legacy.i386.rpm
fe815ab1d505fcef7629e0abe4b25f2c66054f1c
redhat/9/updates-testing/SRPMS/php-4.2.2-17.21.legacy.src.rpm

fc1:
5cc63a63de0057797737ceefbdfeb0f466d87beb
fedora/1/updates-testing/i386/php-4.3.11-1.fc1.6.legacy.i386.rpm
315b0ae174f33d437178982f47dd24ba48848346
fedora/1/updates-testing/i386/php-devel-4.3.11-1.fc1.6.legacy.i386.rpm
92d36fe3e062b33e6b22bcd101dd85dc03803616
fedora/1/updates-testing/i386/php-domxml-4.3.11-1.fc1.6.legacy.i386.rpm
7083eb87cdcb9e83ef83e6ba7aee63a2a259ce89
fedora/1/updates-testing/i386/php-imap-4.3.11-1.fc1.6.legacy.i386.rpm
acb18926452c2faf331fc8b25a09de3f4da2d7cb
fedora/1/updates-testing/i386/php-ldap-4.3.11-1.fc1.6.legacy.i386.rpm
c90c744840ebff6c9149b9df9513db63a10a6247
fedora/1/updates-testing/i386/php-mbstring-4.3.11-1.fc1.6.legacy.i386.rpm
e84b242476b61b0aa19b2b71af4f69043cc4ecee
fedora/1/updates-testing/i386/php-mysql-4.3.11-1.fc1.6.legacy.i386.rpm
a765f1e3d73d9d5cbd1fb5cbfb868f70baf2ce4a
fedora/1/updates-testing/i386/php-odbc-4.3.11-1.fc1.6.legacy.i386.rpm
0ef956e24befd3a9b462f0953edc164595ac27cf
fedora/1/updates-testing/i386/php-pgsql-4.3.11-1.fc1.6.legacy.i386.rpm
e5e9f011f9d403881a9350d5395db6ccaa402b6a
fedora/1/updates-testing/i386/php-snmp-4.3.11-1.fc1.6.legacy.i386.rpm
f29d6f88cd780e32e9307c1d8ad8446e559c8a29
fedora/1/updates-testing/i386/php-xmlrpc-4.3.11-1.fc1.6.legacy.i386.rpm
edbf95d5ea4944e3a41ccebcebaf2702b4545f98
fedora/1/updates-testing/SRPMS/php-4.3.11-1.fc1.6.legacy.src.rpm

fc2:
f2ec94d1069ff3214ac031f7f5c6a1e29f22e90d
fedora/2/updates-testing/i386/php-4.3.11-1.fc2.7.legacy.i386.rpm
34c8d44ccd71a3f09dc289d4f0fc826dc34f9a60
fedora/2/updates-testing/i386/php-devel-4.3.11-1.fc2.7.legacy.i386.rpm
09d8100aea583b0b47f87190b6a557ed3f7e3636
fedora/2/updates-testing/i386/php-domxml-4.3.11-1.fc2.7.legacy.i386.rpm
f11bc7846717d98b73e73d9bf9870b2f5e19d341
fedora/2/updates-testing/i386/php-imap-4.3.11-1.fc2.7.legacy.i386.rpm
69d11e09f15a6acb488a28a8e4751f468e332c73
fedora/2/updates-testing/i386/php-ldap-4.3.11-1.fc2.7.legacy.i386.rpm
a07b390dc004d6a330c49cf1e8262471c93e9108
fedora/2/updates-testing/i386/php-mbstring-4.3.11-1.fc2.7.legacy.i386.rpm
2820fb1d8832d034b2529ec7087c5839baebccfe
fedora/2/updates-testing/i386/php-mysql-4.3.11-1.fc2.7.legacy.i386.rpm
ed69c77a9e312348a6ca73ad2d7f270459bc16dc
fedora/2/updates-testing/i386/php-odbc-4.3.11-1.fc2.7.legacy.i386.rpm
5ff64a9b70c418ce762ff815be8fcefb5aa89d15
fedora/2/updates-testing/i386/php-pear-4.3.11-1.fc2.7.legacy.i386.rpm
9251da041356734713a644ff778ae4afc2ab2879
fedora/2/updates-testing/i386/php-pgsql-4.3.11-1.fc2.7.legacy.i386.rpm
eabd9dd422934c99902429c311f61a4a4a26e3c7
fedora/2/updates-testing/i386/php-snmp-4.3.11-1.fc2.7.legacy.i386.rpm
7b027d1cd8844312ed20711bef92013078e33b83
fedora/2/updates-testing/i386/php-xmlrpc-4.3.11-1.fc2.7.legacy.i386.rpm
026b3dd063586fe6e29f6cb482206e4f5631ac0f
fedora/2/updates-testing/SRPMS/php-4.3.11-1.fc2.7.legacy.src.rpm

fc3:
cafefc39811f7923007e522aa5ca84a0e073dd96
fedora/3/updates-testing/i386/php-4.3.11-2.8.4.legacy.i386.rpm
e2d84ad62c2703b5a7f3875d0d52e9461f5f81fe
fedora/3/updates-testing/i386/php-devel-4.3.11-2.8.4.legacy.i386.rpm
7b90726025ff13e815509216a73fa9c2914a6ad0
fedora/3/updates-testing/i386/php-domxml-4.3.11-2.8.4.legacy.i386.rpm
6367004e4200fcb44778088c911495458b08cde4
fedora/3/updates-testing/i386/php-gd-4.3.11-2.8.4.legacy.i386.rpm
abb3cdd3dcc030b85e03a409372daac6093a63d0
fedora/3/updates-testing/i386/php-imap-4.3.11-2.8.4.legacy.i386.rpm
df673e8e983ea6cec3b50f65e50950f625493223
fedora/3/updates-testing/i386/php-ldap-4.3.11-2.8.4.legacy.i386.rpm
4e95b2f44661683fd17c72f881323f36757793ef
fedora/3/updates-testing/i386/php-mbstring-4.3.11-2.8.4.legacy.i386.rpm
a891c751c82acc9bf1cc6ac59332196344b42a8c
fedora/3/updates-testing/i386/php-mysql-4.3.11-2.8.4.legacy.i386.rpm
865dde39429ac6fc59296af9ed938c4e7b30216c
fedora/3/updates-testing/i386/php-ncurses-4.3.11-2.8.4.legacy.i386.rpm
32b5075e4e3406c4ab9715ef970f1e5ec4f808e3
fedora/3/updates-testing/i386/php-odbc-4.3.11-2.8.4.legacy.i386.rpm
5867c11e75d26edbcd79e815bc79a1c2354878ec
fedora/3/updates-testing/i386/php-pear-4.3.11-2.8.4.legacy.i386.rpm
5f05fae3bc0ef2841ed479cb5968443fee448698
fedora/3/updates-testing/i386/php-pgsql-4.3.11-2.8.4.legacy.i386.rpm
71591b13628f0db7a0818c9bb818b63e176c9904
fedora/3/updates-testing/i386/php-snmp-4.3.11-2.8.4.legacy.i386.rpm
c5f9dcb4c6e8bc117b88ffa06a60049a80f68287
fedora/3/updates-testing/i386/php-xmlrpc-4.3.11-2.8.4.legacy.i386.rpm
78fb1d65369f96b86027bc04e91d2c058fbd1e73
fedora/3/updates-testing/x86_64/php-4.3.11-2.8.4.legacy.x86_64.rpm
102f14f60d3dc134cb6f698f6d4d1f4264006940
fedora/3/updates-testing/x86_64/php-devel-4.3.11-2.8.4.legacy.x86_64.rpm
333d7213daf29f486ad7e047e1adc418c3258500
fedora/3/updates-testing/x86_64/php-domxml-4.3.11-2.8.4.legacy.x86_64.rpm
59c18b269a3a1712684d8fab00c7577033ac2108
fedora/3/updates-testing/x86_64/php-gd-4.3.11-2.8.4.legacy.x86_64.rpm
ce155d28b0e81eb5527cf0e2f496bc8a9e5ce75d
fedora/3/updates-testing/x86_64/php-imap-4.3.11-2.8.4.legacy.x86_64.rpm
39e63584c3419002a43d71973ff93a356fc278c0
fedora/3/updates-testing/x86_64/php-ldap-4.3.11-2.8.4.legacy.x86_64.rpm
b5131dae7d6908114b959d3ab0e1661158e66e0f
fedora/3/updates-testing/x86_64/php-mbstring-4.3.11-2.8.4.legacy.x86_64.rpm
5b366cf0918e314c52e2da44baac70c81dd6fa38
fedora/3/updates-testing/x86_64/php-mysql-4.3.11-2.8.4.legacy.x86_64.rpm
eae4616e39e8a82a4cf931352d4610a293499e5e
fedora/3/updates-testing/x86_64/php-ncurses-4.3.11-2.8.4.legacy.x86_64.rpm
c3c95fb30901f381376be17003f29ed36a7f22d8
fedora/3/updates-testing/x86_64/php-odbc-4.3.11-2.8.4.legacy.x86_64.rpm
4bc178a084fe1df33ac0a92c15f8d7b817f4a2c7
fedora/3/updates-testing/x86_64/php-pear-4.3.11-2.8.4.legacy.x86_64.rpm
9ce8349a77d7817e505629c5944a9c7c59a6e284
fedora/3/updates-testing/x86_64/php-pgsql-4.3.11-2.8.4.legacy.x86_64.rpm
d631abea1dd6cad2bd3d16d52877b5b3f310a2f5
fedora/3/updates-testing/x86_64/php-snmp-4.3.11-2.8.4.legacy.x86_64.rpm
c91a27a8bf159f2586d0d6e8ba1ce07f4651e5bd
fedora/3/updates-testing/x86_64/php-xmlrpc-4.3.11-2.8.4.legacy.x86_64.rpm
b560a17c4ad7954b0184660d900ea2bb37ee1b4a
fedora/3/updates-testing/SRPMS/php-4.3.11-2.8.4.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.

Attachment: signature.asc
Description: OpenPGP digital signature

--

fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list

[Index of Archives]     [Fedora Development]     [Fedora Announce]     [Fedora Legacy Announce]     [Fedora Config]     [PAM]     [Fedora General Discussion]     [Big List of Linux Books]     [Gimp]     [Yosemite Questions]

  Powered by Linux