--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2006-175040 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175040 2006-07-05 --------------------------------------------------------------------- Name : php Versions : rh73: php-4.1.2-7.3.20.legacy Versions : rh9: php-4.2.2-17.21.legacy Versions : fc1: php-4.3.11-1.fc1.6.legacy Versions : fc2: php-4.3.11-1.fc2.7.legacy Versions : fc3: php-4.3.11-2.8.4.legacy Summary : The PHP HTML-embedded scripting language. Description : PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated webpages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is fairly simple. The most common use of PHP coding is probably as a replacement for CGI scripts. The mod_php module enables the Apache Web server to understand and process the embedded PHP language in Web pages. --------------------------------------------------------------------- Update Information: Updated PHP packages that fix multiple security issues are now available. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A buffer overflow flaw was discovered in uw-imap, the University of Washington's IMAP Server. php-imap is compiled against the static c-client libraries from imap and therefore needed to be recompiled against the fixed version. (CVE-2005-2933). An input validation error was found in the "mb_send_mail()" function. An attacker could use this flaw to inject arbitrary headers in a mail sent via a script calling the "mb_send_mail()" function where the "To" parameter can be controlled by the attacker. (CVE-2005-3883) The error handling output was found to not properly escape HTML output in certain cases. An attacker could use this flaw to perform cross-site scripting attacks against sites where both display_errors and html_errors are enabled. (CVE-2006-0208) The phpinfo() PHP function did not properly sanitize long strings. An attacker could use this to perform cross-site scripting attacks against sites that have publicly-available PHP scripts that call phpinfo(). (CVE-2006-0996) The html_entity_decode() PHP function was found to not be binary safe. An attacker could use this flaw to disclose a certain part of the memory. In order for this issue to be exploitable the target site would need to have a PHP script which called the "html_entity_decode()" function with untrusted input from the user and displayed the result. (CVE-2006-1490) The wordwrap() PHP function did not properly check for integer overflow in the handling of the "break" parameter. An attacker who could control the string passed to the "break" parameter could cause a heap overflow. (CVE-2006-1990) Users of PHP should upgrade to these updated packages, which contain backported patches that resolve these issues. --------------------------------------------------------------------- Changelogs rh73: * Thu Jun 15 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.1.2-7.3.20.legacy - replaced CVE-2006-0996 and CVE-2006-0208 patches with the ones from RHEL21 - prevent integer overflow in wordwrap (CVE-2006-1990) * Sat Apr 29 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.1.2-7.3.19.legacy - add fix for imap DoS (#175040) - add security fix for new phpinfo XSS (CVE-2006-0996) - add security fix for XSS issues in "html_errors" mode (CVE-2006-0208) - add security fix for mbstring header validation (CVE-2005-3383) rh9: * Sat Jun 24 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.2.2-17.21.legacy - replaced CVE-2006-0208 patch with the one from RHEL21 - prevent integer overflow in wordwrap (CVE-2006-1990) * Sat Apr 29 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.2.2-17.20.legacy - removed TSRMLS_CC from CVE-2006-0996 patch * Sat Apr 29 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.2.2-17.19.legacy - add fix for imap DoS (#175040) * Fri Apr 28 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.2.2-17.18.legacy - add security fix for new phpinfo XSS (CVE-2006-0996) - add security fix for XSS issues in "html_errors" mode (CVE-2006-0208) - add security fix for mbstring header validation (CVE-2005-3383) fc1: * Wed Jun 14 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-1.fc1.6.legacy - prevent integer overflow in wordwrap (CVE-2006-1990) * Sun Apr 30 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-1.fc1.5.legacy - remove TSRMLS_CC from CVE-2006-0996 patch * Thu Apr 27 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-1.fc1.4.legacy - add security fix for new phpinfo XSS (CVE-2006-0996) - add binary safeness fix for php_unescape_html_entities (CVE-2006-1490) - add security fix for XSS issues in "html_errors" mode (CVE-2006-0208) - add security fix for mbstring header validation (CVE-2005-3383) fc2: * Tue Jun 13 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-1.fc2.7.legacy - prevent integer overflow in wordwrap (CVE-2006-1990) * Sun Apr 30 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-1.fc2.6.legacy - removed TSRMLS_CC from CVE-2006-0996 patch * Wed Apr 26 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-1.fc2.5.legacy - add security fix for new phpinfo XSS (CVE-2006-0996) - add binary safeness fix for php_unescape_html_entities (CVE-2006-1490) - add security fix for XSS issues in "html_errors" mode (CVE-2006-0208) - add security fix for mbstring header validation (CVE-2005-3383) fc3: * Tue Jul 04 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-2.8.4.legacy - added sendmail, w3c-libwww-devel, flex and gnupg to BuildRequires * Wed Jun 14 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-2.8.3.legacy - prevent integer overflow in wordwrap (CVE-2006-1990) * Sun Apr 30 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-2.8.2.legacy - removed TSRMLS_CC from CVE-2006-0996 patch * Wed Apr 26 2006 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 4.3.11-2.8.1.legacy - add security fix for new phpinfo XSS (CVE-2006-0996) - add binary safeness fix for php_unescape_html_entities (CVE-2006-1490) - add security fix for XSS issues in "html_errors" mode (CVE-2006-0208) - add security fix for mbstring header validation (CVE-2005-3383) --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh73: 716216fdf1ddc42bb8d210d1e121ba8d0e7f4d7c redhat/7.3/updates-testing/i386/php-4.1.2-7.3.20.legacy.i386.rpm 61612a0c2e6244ccfb4e35ea04865d48f75f7c48 redhat/7.3/updates-testing/i386/php-devel-4.1.2-7.3.20.legacy.i386.rpm d29efdfdd669875715c0956fedc59b99ef7681f3 redhat/7.3/updates-testing/i386/php-imap-4.1.2-7.3.20.legacy.i386.rpm 1e09ae807ccf160ef9011818d4dda590bab224d7 redhat/7.3/updates-testing/i386/php-ldap-4.1.2-7.3.20.legacy.i386.rpm 0dfa25adffe75db47fbf2a366eb456d8fcfca918 redhat/7.3/updates-testing/i386/php-manual-4.1.2-7.3.20.legacy.i386.rpm 9141e782d32739b5bc2a9b611d7cdc352e523c26 redhat/7.3/updates-testing/i386/php-mysql-4.1.2-7.3.20.legacy.i386.rpm f1e88cf8e7f644f81473efc561f4df502ef7bc24 redhat/7.3/updates-testing/i386/php-odbc-4.1.2-7.3.20.legacy.i386.rpm dd58b7187e116874558c5567b8c6897d1d1d4154 redhat/7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.20.legacy.i386.rpm 0575467b89a44d1e5b0bebc00fac018666a8b827 redhat/7.3/updates-testing/i386/php-snmp-4.1.2-7.3.20.legacy.i386.rpm 8541c7eefbf6162eeca5f12f834ccf3af8fee85b redhat/7.3/updates-testing/SRPMS/php-4.1.2-7.3.20.legacy.src.rpm rh9: 1cd4a11bf52c1b18dce2937a7f15789b059c1967 redhat/9/updates-testing/i386/php-4.2.2-17.21.legacy.i386.rpm 109a96dc0633b661e6789d9b41a3cf298e140401 redhat/9/updates-testing/i386/php-devel-4.2.2-17.21.legacy.i386.rpm f5df6f259745f0050c15a50b75e2114381c07fb1 redhat/9/updates-testing/i386/php-imap-4.2.2-17.21.legacy.i386.rpm 8223f6cc4e84478523cd8560bdc9b75d90c33a14 redhat/9/updates-testing/i386/php-ldap-4.2.2-17.21.legacy.i386.rpm 18ac761d897ba89e94086facdb7b529e7d60c0e2 redhat/9/updates-testing/i386/php-manual-4.2.2-17.21.legacy.i386.rpm 714057b386abaa03573d14c8757ef97858ba2b17 redhat/9/updates-testing/i386/php-mysql-4.2.2-17.21.legacy.i386.rpm c2002f4f520ea2f7dbe11402ad460a181c44175a redhat/9/updates-testing/i386/php-odbc-4.2.2-17.21.legacy.i386.rpm 26a858731e032c0622003c8d9398a6b5ead86b24 redhat/9/updates-testing/i386/php-pgsql-4.2.2-17.21.legacy.i386.rpm 258887bd3e690dad1b88dfcbc280a8523fa52338 redhat/9/updates-testing/i386/php-snmp-4.2.2-17.21.legacy.i386.rpm fe815ab1d505fcef7629e0abe4b25f2c66054f1c redhat/9/updates-testing/SRPMS/php-4.2.2-17.21.legacy.src.rpm fc1: 5cc63a63de0057797737ceefbdfeb0f466d87beb fedora/1/updates-testing/i386/php-4.3.11-1.fc1.6.legacy.i386.rpm 315b0ae174f33d437178982f47dd24ba48848346 fedora/1/updates-testing/i386/php-devel-4.3.11-1.fc1.6.legacy.i386.rpm 92d36fe3e062b33e6b22bcd101dd85dc03803616 fedora/1/updates-testing/i386/php-domxml-4.3.11-1.fc1.6.legacy.i386.rpm 7083eb87cdcb9e83ef83e6ba7aee63a2a259ce89 fedora/1/updates-testing/i386/php-imap-4.3.11-1.fc1.6.legacy.i386.rpm acb18926452c2faf331fc8b25a09de3f4da2d7cb fedora/1/updates-testing/i386/php-ldap-4.3.11-1.fc1.6.legacy.i386.rpm c90c744840ebff6c9149b9df9513db63a10a6247 fedora/1/updates-testing/i386/php-mbstring-4.3.11-1.fc1.6.legacy.i386.rpm e84b242476b61b0aa19b2b71af4f69043cc4ecee fedora/1/updates-testing/i386/php-mysql-4.3.11-1.fc1.6.legacy.i386.rpm a765f1e3d73d9d5cbd1fb5cbfb868f70baf2ce4a fedora/1/updates-testing/i386/php-odbc-4.3.11-1.fc1.6.legacy.i386.rpm 0ef956e24befd3a9b462f0953edc164595ac27cf fedora/1/updates-testing/i386/php-pgsql-4.3.11-1.fc1.6.legacy.i386.rpm e5e9f011f9d403881a9350d5395db6ccaa402b6a fedora/1/updates-testing/i386/php-snmp-4.3.11-1.fc1.6.legacy.i386.rpm f29d6f88cd780e32e9307c1d8ad8446e559c8a29 fedora/1/updates-testing/i386/php-xmlrpc-4.3.11-1.fc1.6.legacy.i386.rpm edbf95d5ea4944e3a41ccebcebaf2702b4545f98 fedora/1/updates-testing/SRPMS/php-4.3.11-1.fc1.6.legacy.src.rpm fc2: f2ec94d1069ff3214ac031f7f5c6a1e29f22e90d fedora/2/updates-testing/i386/php-4.3.11-1.fc2.7.legacy.i386.rpm 34c8d44ccd71a3f09dc289d4f0fc826dc34f9a60 fedora/2/updates-testing/i386/php-devel-4.3.11-1.fc2.7.legacy.i386.rpm 09d8100aea583b0b47f87190b6a557ed3f7e3636 fedora/2/updates-testing/i386/php-domxml-4.3.11-1.fc2.7.legacy.i386.rpm f11bc7846717d98b73e73d9bf9870b2f5e19d341 fedora/2/updates-testing/i386/php-imap-4.3.11-1.fc2.7.legacy.i386.rpm 69d11e09f15a6acb488a28a8e4751f468e332c73 fedora/2/updates-testing/i386/php-ldap-4.3.11-1.fc2.7.legacy.i386.rpm a07b390dc004d6a330c49cf1e8262471c93e9108 fedora/2/updates-testing/i386/php-mbstring-4.3.11-1.fc2.7.legacy.i386.rpm 2820fb1d8832d034b2529ec7087c5839baebccfe fedora/2/updates-testing/i386/php-mysql-4.3.11-1.fc2.7.legacy.i386.rpm ed69c77a9e312348a6ca73ad2d7f270459bc16dc fedora/2/updates-testing/i386/php-odbc-4.3.11-1.fc2.7.legacy.i386.rpm 5ff64a9b70c418ce762ff815be8fcefb5aa89d15 fedora/2/updates-testing/i386/php-pear-4.3.11-1.fc2.7.legacy.i386.rpm 9251da041356734713a644ff778ae4afc2ab2879 fedora/2/updates-testing/i386/php-pgsql-4.3.11-1.fc2.7.legacy.i386.rpm eabd9dd422934c99902429c311f61a4a4a26e3c7 fedora/2/updates-testing/i386/php-snmp-4.3.11-1.fc2.7.legacy.i386.rpm 7b027d1cd8844312ed20711bef92013078e33b83 fedora/2/updates-testing/i386/php-xmlrpc-4.3.11-1.fc2.7.legacy.i386.rpm 026b3dd063586fe6e29f6cb482206e4f5631ac0f fedora/2/updates-testing/SRPMS/php-4.3.11-1.fc2.7.legacy.src.rpm fc3: cafefc39811f7923007e522aa5ca84a0e073dd96 fedora/3/updates-testing/i386/php-4.3.11-2.8.4.legacy.i386.rpm e2d84ad62c2703b5a7f3875d0d52e9461f5f81fe fedora/3/updates-testing/i386/php-devel-4.3.11-2.8.4.legacy.i386.rpm 7b90726025ff13e815509216a73fa9c2914a6ad0 fedora/3/updates-testing/i386/php-domxml-4.3.11-2.8.4.legacy.i386.rpm 6367004e4200fcb44778088c911495458b08cde4 fedora/3/updates-testing/i386/php-gd-4.3.11-2.8.4.legacy.i386.rpm abb3cdd3dcc030b85e03a409372daac6093a63d0 fedora/3/updates-testing/i386/php-imap-4.3.11-2.8.4.legacy.i386.rpm df673e8e983ea6cec3b50f65e50950f625493223 fedora/3/updates-testing/i386/php-ldap-4.3.11-2.8.4.legacy.i386.rpm 4e95b2f44661683fd17c72f881323f36757793ef fedora/3/updates-testing/i386/php-mbstring-4.3.11-2.8.4.legacy.i386.rpm a891c751c82acc9bf1cc6ac59332196344b42a8c fedora/3/updates-testing/i386/php-mysql-4.3.11-2.8.4.legacy.i386.rpm 865dde39429ac6fc59296af9ed938c4e7b30216c fedora/3/updates-testing/i386/php-ncurses-4.3.11-2.8.4.legacy.i386.rpm 32b5075e4e3406c4ab9715ef970f1e5ec4f808e3 fedora/3/updates-testing/i386/php-odbc-4.3.11-2.8.4.legacy.i386.rpm 5867c11e75d26edbcd79e815bc79a1c2354878ec fedora/3/updates-testing/i386/php-pear-4.3.11-2.8.4.legacy.i386.rpm 5f05fae3bc0ef2841ed479cb5968443fee448698 fedora/3/updates-testing/i386/php-pgsql-4.3.11-2.8.4.legacy.i386.rpm 71591b13628f0db7a0818c9bb818b63e176c9904 fedora/3/updates-testing/i386/php-snmp-4.3.11-2.8.4.legacy.i386.rpm c5f9dcb4c6e8bc117b88ffa06a60049a80f68287 fedora/3/updates-testing/i386/php-xmlrpc-4.3.11-2.8.4.legacy.i386.rpm 78fb1d65369f96b86027bc04e91d2c058fbd1e73 fedora/3/updates-testing/x86_64/php-4.3.11-2.8.4.legacy.x86_64.rpm 102f14f60d3dc134cb6f698f6d4d1f4264006940 fedora/3/updates-testing/x86_64/php-devel-4.3.11-2.8.4.legacy.x86_64.rpm 333d7213daf29f486ad7e047e1adc418c3258500 fedora/3/updates-testing/x86_64/php-domxml-4.3.11-2.8.4.legacy.x86_64.rpm 59c18b269a3a1712684d8fab00c7577033ac2108 fedora/3/updates-testing/x86_64/php-gd-4.3.11-2.8.4.legacy.x86_64.rpm ce155d28b0e81eb5527cf0e2f496bc8a9e5ce75d fedora/3/updates-testing/x86_64/php-imap-4.3.11-2.8.4.legacy.x86_64.rpm 39e63584c3419002a43d71973ff93a356fc278c0 fedora/3/updates-testing/x86_64/php-ldap-4.3.11-2.8.4.legacy.x86_64.rpm b5131dae7d6908114b959d3ab0e1661158e66e0f fedora/3/updates-testing/x86_64/php-mbstring-4.3.11-2.8.4.legacy.x86_64.rpm 5b366cf0918e314c52e2da44baac70c81dd6fa38 fedora/3/updates-testing/x86_64/php-mysql-4.3.11-2.8.4.legacy.x86_64.rpm eae4616e39e8a82a4cf931352d4610a293499e5e fedora/3/updates-testing/x86_64/php-ncurses-4.3.11-2.8.4.legacy.x86_64.rpm c3c95fb30901f381376be17003f29ed36a7f22d8 fedora/3/updates-testing/x86_64/php-odbc-4.3.11-2.8.4.legacy.x86_64.rpm 4bc178a084fe1df33ac0a92c15f8d7b817f4a2c7 fedora/3/updates-testing/x86_64/php-pear-4.3.11-2.8.4.legacy.x86_64.rpm 9ce8349a77d7817e505629c5944a9c7c59a6e284 fedora/3/updates-testing/x86_64/php-pgsql-4.3.11-2.8.4.legacy.x86_64.rpm d631abea1dd6cad2bd3d16d52877b5b3f310a2f5 fedora/3/updates-testing/x86_64/php-snmp-4.3.11-2.8.4.legacy.x86_64.rpm c91a27a8bf159f2586d0d6e8ba1ce07f4651e5bd fedora/3/updates-testing/x86_64/php-xmlrpc-4.3.11-2.8.4.legacy.x86_64.rpm b560a17c4ad7954b0184660d900ea2bb37ee1b4a fedora/3/updates-testing/SRPMS/php-4.3.11-2.8.4.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list