Neil McGovern
2005-Sep-13 19:22 UTC
[secure-testing-announce] [DTSA-15-1] New php4 packages fix several vulnerabilities
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Testing Security Advisory DTSA-15-1 September 13th, 2005 secure-testing-team@lists.alioth.debian.org Neil McGovern http://secure-testing-master.debian.net/ - -------------------------------------------------------------------------- Package : php4 Vulnerability : several vulnerabilities Problem-Scope : remote/local Debian-specific: No CVE ID : CAN-2005-1751 CAN-2005-1921 CAN-2005-2498 Several security related problems have been found in PHP4, the server-side, HTML-embedded scripting language. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005-1751 Eric Romang discovered insecure temporary files in the shtool utility shipped with PHP that can exploited by a local attacker to overwrite arbitrary files. Only this vulnerability affects packages in oldstable. CAN-2005-1921 GulfTech has discovered that PEAR XML_RPC is vulnerable to a remote PHP code execution vulnerability that may allow an attacker to compromise a vulnerable server. CAN-2005-2498 Stefan Esser discovered another vulnerability in the XML-RPC libraries that allows injection of arbitrary PHP code into eval() statements. For the testing distribution (etch) this is fixed in version 4.3.10-16etch1 For the unstable distribution (sid) this is fixed in version 4.4.0-2 This upgrade is recommended if you use php4. The Debian testing security team does not track security issues for the stable (sarge) and oldstable (woody) distributions. If stable is vulnerable, the Debian security team will make an announcement once a fix is ready. Upgrade Instructions - -------------------- To use the Debian testing security archive, add the following lines to your /etc/apt/sources.list: deb http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free deb-src http://secure-testing.debian.net/debian-secure-testing etch-proposed-updates/security-updates main contrib non-free The archive signing key can be downloaded from http://secure-testing-master.debian.net/ziyi-2005-7.asc To install the update, run this command as root: apt-get update && apt-get upgrade For further information about the Debian testing security team, please refer to http://secure-testing-master.debian.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDJybU97LBwbNFvdMRAoQpAJ0QI1etA8A4hrMCfIFvqd2jitdi6QCffdob 96pCQBg0V201K5ri8yszOQU=j8vu -----END PGP SIGNATURE-----