[secure-testing-announce] [DTSA-15-1] New php4 packages fix several vulnerabilities

Subject: [secure-testing-announce] [DTSA-15-1] New php4 packages fix several vulnerabilities
From: maulkin at mx0.halon.org.uk (Neil McGovern)
Date: Tue Sep 13 19:22:02 2005
Message-id: <[🔎] E1EFGLs-00041x-Ev@cheddar.halon.org.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Testing Security Advisory DTSA-15-1            September 13th, 2005
secure-testing-team@lists.alioth.debian.org                  Neil McGovern
http://secure-testing-master.debian.net/
- --------------------------------------------------------------------------

Package        : php4
Vulnerability  : several vulnerabilities
Problem-Scope  : remote/local
Debian-specific: No
CVE ID         : CAN-2005-1751 CAN-2005-1921 CAN-2005-2498 

Several security related problems have been found in PHP4, the
server-side, HTML-embedded scripting language.  The Common
Vulnerabilities and Exposures project identifies the following
problems:

CAN-2005-1751

Eric Romang discovered insecure temporary files in the shtool
utility shipped with PHP that can exploited by a local attacker to
overwrite arbitrary files.  Only this vulnerability affects
packages in oldstable.

CAN-2005-1921

GulfTech has discovered that PEAR XML_RPC is vulnerable to a
remote PHP code execution vulnerability that may allow an attacker
to compromise a vulnerable server.

CAN-2005-2498

Stefan Esser discovered another vulnerability in the XML-RPC
libraries that allows injection of arbitrary PHP code into eval()
statements.

For the testing distribution (etch) this is fixed in version
4.3.10-16etch1

For the unstable distribution (sid) this is fixed in version
4.4.0-2

This upgrade is recommended if you use php4.

The Debian testing security team does not track security issues for the
stable (sarge) and oldstable (woody) distributions. If stable is vulnerable,
the Debian security team will make an announcement once a fix is ready.

Upgrade Instructions
- --------------------

To use the Debian testing security archive, add the following lines to
your /etc/apt/sources.list:

deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free
deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free

The archive signing key can be downloaded from
http://secure-testing-master.debian.net/ziyi-2005-7.asc

To install the update, run this command as root:

apt-get update && apt-get upgrade

For further information about the Debian testing security team, please refer
to http://secure-testing-master.debian.net/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJybU97LBwbNFvdMRAoQpAJ0QI1etA8A4hrMCfIFvqd2jitdi6QCffdob
96pCQBg0V201K5ri8yszOQU=
=j8vu
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [secure-testing-announce] [DTSA-14-1] New mozilla packages fix several holes
Next by Date: [SECURITY] [DTSA-16-1] New linux-2.6 packages fix several holes
Previous by thread: [secure-testing-announce] [DTSA-14-1] New mozilla packages fix several holes
Next by thread: [SECURITY] [DTSA-16-1] New linux-2.6 packages fix several holes
Index(es):
- Date
- Thread