SUSE Security Announcement: php remote denial of service (SUSE-SA:2005:023)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SUSE Security Announcement
Package: php4, php5
Announcement-ID: SUSE-SA:2005:023
Date: Fri, 15 Apr 2005 12:00:00 +0000
Affected products: 8.2, 9.0, 9.1, 9.2, 9.3
SUSE Linux Enterprise Server 8, 9
Vulnerability Type: remote denial of service
Severity (1-10): 5
SUSE default package: no
Cross References: CAN-2005-0524
CAN-2005-0525
Content of this advisory:
1) security vulnerability resolved:
php4 / php5 denial of service attack
problem description
2) solution/workaround
3) special instructions and notes
4) package location and checksums
5) pending vulnerabilities, solutions, workarounds:
none
6) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion
This update fixes the following security issues in the PHP scripting
language:
- A bug in getimagesize() EXIF handling which could lead to a denial of
service attack.
This is tracked by the Mitre CVE IDs CAN-2005-0524 and CAN-2005-0525.
Additionally this non-security bug was fixed:
- Performance problems of unserialize() caused by previous security
fix to unserialize were fixed.
All SUSE Linux based distributions shipping php4 and php5 were affected.
2) solution/workaround
Please install the upgraded packages.
3) special instructions and notes
Please make sure you restart the web server after this update.
4) package location and checksums
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
x86 Platform:
SUSE Linux 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php4-4.3.10-14.2.i586.rpm
092b41e835df38140ce84a57a8a19291
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/apache2-mod_php5-5.0.3-14.2.i586.rpm
859c59423121af7fc782187b67ac9eb2
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/mod_php4-servlet-4.3.10-14.2.i586.rpm
998bb2eee2ccb49db4889f9064520212
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-4.3.10-14.2.i586.rpm
8e5903503b80b7235e253d9b8b59904f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-devel-4.3.10-14.2.i586.rpm
b6e4b7080e54cb4ca2b970817d7a7202
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-fastcgi-4.3.10-14.2.i586.rpm
5f14cca638d59b161c3db68cc378c237
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-session-4.3.10-14.2.i586.rpm
726545e66501ea788cb278804071bfe3
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php4-sysvshm-4.3.10-14.2.i586.rpm
c201b0e680713340312baef2b8629252
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-5.0.3-14.2.i586.rpm
356d41447026e2c29658b4be3ba18b95
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-devel-5.0.3-14.2.i586.rpm
63b4c9099189788fc6c6fee76d4b0d6f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-fastcgi-5.0.3-14.2.i586.rpm
5b5d43fc648f6d54a36dbd475c075e0d
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvmsg-5.0.3-14.2.i586.rpm
f64d969e257eebc6756b018fd2609638
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/php5-sysvshm-5.0.3-14.2.i586.rpm
7e70d9b50cb54250c26953ada098a381
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-32bit-9.3-7.1.x86_64.rpm
05fad72084e61a4df8a3acd1ff08f798
SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/apache2-mod_php4-4.3.8-8.5.i586.rpm
30fc3c59fab61fa89944dec7db94d26e
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/mod_php4-servlet-4.3.8-8.5.i586.rpm
ba2c67dd1c709dff17168eaebd8e145f
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-4.3.8-8.5.i586.rpm
6d4a22a613dc64a3699d27ce09f9f255
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-devel-4.3.8-8.5.i586.rpm
fdbd8f94484d41142f51af35b18b8b97
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-fastcgi-4.3.8-8.5.i586.rpm
78a39683a5496885464c8a7bb5ebdd82
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-session-4.3.8-8.5.i586.rpm
70a081d38fa56e51c4e357dd0a7c3a73
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/php4-sysvshm-4.3.8-8.5.i586.rpm
ae7974ce3c6e62fea4687a13eefa1f43
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-32bit-9.2-200504081300.x86_64.rpm
a9d235e734d2ac2e876048173900e392
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/apache2-mod_php4-4.3.4-43.28.i586.rpm
b7aead2cb147c681e0efb34cb0012d56
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-core-4.3.4-43.28.i586.rpm
bf8e4ccdcc94b8ff6aa9e50738d5652e
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/mod_php4-servlet-4.3.4-43.28.i586.rpm
cbeec3026b9274969a61421ec0b5d15f
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-4.3.4-43.28.i586.rpm
65b3a8046f7622973b7a7d0b8a388a9a
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-devel-4.3.4-43.28.i586.rpm
dc7b8514735b01887158b9666cb09cc1
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-fastcgi-4.3.4-43.28.i586.rpm
7872f4539151e9055a0c3a05bcc53340
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-imap-4.3.4-43.28.i586.rpm
e6c0896439221b47ac95bd5b81347030
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-mysql-4.3.4-43.28.i586.rpm
879bb81a1e99f0f1abc9f9297ef78afb
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-recode-4.3.4-43.28.i586.rpm
7640c6d169b4ee0bb7beace768ebd3bf
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-servlet-4.3.4-43.28.i586.rpm
091a8ca814be21d0dca4473214151ab4
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-session-4.3.4-43.28.i586.rpm
f836d57b333b0854f77831f947a29939
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-sysvshm-4.3.4-43.28.i586.rpm
d0ce400b95af15df2c2ff93cefc27f6f
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/php4-wddx-4.3.4-43.28.i586.rpm
153fe65a00f9c83ed6e3e9d8ac58bcd7
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/php4-4.3.4-43.28.src.rpm
6cd11704fb5dcba94fef2efe304ce6ae
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/apache2-mod_php4-4.3.3-187.i586.rpm
8e9e46631279dfec913dbccc3507a04d
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-4.3.3-187.i586.rpm
4b817d14ea8cfa471d2b7da231bc9c04
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-aolserver-4.3.3-187.i586.rpm
01cde19877d4cdb7241183c29d799a40
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-core-4.3.3-187.i586.rpm
2f3b9eaea64686556524d4b6a3712b44
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-devel-4.3.3-187.i586.rpm
9ffcd67d307dac6d4d2b35c8f2e19269
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/mod_php4-servlet-4.3.3-187.i586.rpm
f381038385a6634a0191daa3da1d8ea8
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/mod_php4-4.3.3-187.src.rpm
ba28af987d39a5eb456574fc0fb95828
SUSE Linux 8.2:
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/apache2-mod_php4-4.3.1-176.i586.rpm
e2afaa2f21bfd29e5689fb66e87bc7c4
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-4.3.1-176.i586.rpm
7056ee242089ad9889c9109d7ba58bfa
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-aolserver-4.3.1-176.i586.rpm
8af8e5ba3e8a69737b695f3df2886c43
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-core-4.3.1-176.i586.rpm
cc17c23d79a92b7d73db7015343fec6f
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/mod_php4-devel-4.3.1-176.i586.rpm
792e5ca40d4b7416e50a7c5d8305cc76
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/mod_php4-4.3.1-176.src.rpm
33395ed1d8a162e7bca09fc93ef6ed68
x86-64 Platform:
SUSE Linux 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php4-4.3.10-14.2.x86_64.rpm
121aad084e9f90b7e8d29c373b02244b
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/apache2-mod_php5-5.0.3-14.2.x86_64.rpm
9d4dd7ba5c8d91d1457d665bcf0aebbb
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/mod_php4-servlet-4.3.10-14.2.x86_64.rpm
878e379e96e2c372963df3da299a15eb
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-4.3.10-14.2.x86_64.rpm
e00307757dcad75e470ba669a703028f
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-devel-4.3.10-14.2.x86_64.rpm
06a496f60998c7201cf185ee474cd43d
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-fastcgi-4.3.10-14.2.x86_64.rpm
0635a305efff157be56155c721db1cff
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-session-4.3.10-14.2.x86_64.rpm
281d0cc5a831edfd3c50a678f0fa74ac
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php4-sysvshm-4.3.10-14.2.x86_64.rpm
edbcb8ca2bab9aa26c799e86526386d9
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-5.0.3-14.2.x86_64.rpm
72d4e5c520f32be6719efd1a744fad3e
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-devel-5.0.3-14.2.x86_64.rpm
c7a90df0de9500399421a565c2828d9c
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-fastcgi-5.0.3-14.2.x86_64.rpm
8cdb9d138bb757dff6906e5bd44eda68
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-sysvmsg-5.0.3-14.2.x86_64.rpm
06152a5ab1352458a8a339813df012b0
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/x86_64/php5-sysvshm-5.0.3-14.2.x86_64.rpm
fbb8306bf72ee918ec6b7a5804f52857
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php4-4.3.10-14.2.src.rpm
2623d3f94ea8e6bd801249f7b79c0e09
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/src/php5-5.0.3-14.2.src.rpm
9026dde16cdf291cfae85d8a8e5b266b
SUSE Linux 9.2:
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/apache2-mod_php4-4.3.8-8.5.x86_64.rpm
74e80d4996883b92ae30b1aea5a24d3d
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/mod_php4-servlet-4.3.8-8.5.x86_64.rpm
b7e113e58096dee64975ad09075b058e
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-4.3.8-8.5.x86_64.rpm
dc2697c70c101c3c16133e45aad4eb05
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-devel-4.3.8-8.5.x86_64.rpm
0904155bbb6b3bf8a275bd7a7780c356
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-fastcgi-4.3.8-8.5.x86_64.rpm
472e3a708e7f6f1774dce421d1c06067
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-session-4.3.8-8.5.x86_64.rpm
4f1402d04098100f10a7910685b17d45
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/x86_64/php4-sysvshm-4.3.8-8.5.x86_64.rpm
ae473a3e1e8177d711a98d7f85a43db1
source rpm(s):
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/php4-4.3.8-8.5.src.rpm
be3087c034218ea830c64dfcfc20fd5d
SUSE Linux 9.1:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/apache2-mod_php4-4.3.4-43.28.x86_64.rpm
8aedd4ae5089b6ad1628a46e962e10c5
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-core-4.3.4-43.28.x86_64.rpm
bd38471abb2b27c6e0f104a05ae3dec5
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/mod_php4-servlet-4.3.4-43.28.x86_64.rpm
6db8f9c47c5c3df1acfeb874b87b87af
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-4.3.4-43.28.x86_64.rpm
83acb944933f86d8752eb1c0b79d51fd
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-devel-4.3.4-43.28.x86_64.rpm
eb10c12b4dda00a723fd2481cb0d9431
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-fastcgi-4.3.4-43.28.x86_64.rpm
6f0f093744f78d3a01f22ee750ee41b9
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-imap-4.3.4-43.28.x86_64.rpm
be1d5285711535911577202e61eea27f
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-mysql-4.3.4-43.28.x86_64.rpm
0e7c2f8ee85bac2b33d0669004c93781
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-recode-4.3.4-43.28.x86_64.rpm
e614abf4e2de40ce21bd05a6c0e7b4da
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-servlet-4.3.4-43.28.x86_64.rpm
e769eeaa2674e0090abfd8e97f4a6cb7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-session-4.3.4-43.28.x86_64.rpm
eb9953ae01fbdaae89b1010d8bb89fbd
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-sysvshm-4.3.4-43.28.x86_64.rpm
0a5fd6e2d6caa31edd14e7bb87d45a90
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/php4-wddx-4.3.4-43.28.x86_64.rpm
6507908da0b26e98739bc21d3af623fe
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/src/php4-4.3.4-43.28.src.rpm
2ce604b9c1f50575bae7fdcf1736e40a
SUSE Linux 9.0:
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/apache2-mod_php4-4.3.3-187.x86_64.rpm
adb3475c4da5623ae3a83e82f0369340
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-4.3.3-187.x86_64.rpm
082261652c7fa03cd2dda0101c03e2a7
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-aolserver-4.3.3-187.x86_64.rpm
c4cd316278e841f0a9ea8c3448fe0c63
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-core-4.3.3-187.x86_64.rpm
427d132d1682e628abf972d353e30113
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-devel-4.3.3-187.x86_64.rpm
5a5e7041c2d74a6736cc07a095764b4b
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/mod_php4-servlet-4.3.3-187.x86_64.rpm
76cf3f75df2341b03c58b7ddaeb4bad4
source rpm(s):
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/src/mod_php4-4.3.3-187.src.rpm
b9b4f1b5fa5edac29c606ca3b03c041c
______________________________________________________________________________
5) Pending vulnerabilities in SUSE Distributions and Workarounds:
none
______________________________________________________________________________
6) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SUSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
participants (1)
-
Marcus Meissner