Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2007.0167 -- [RedHat] Important: php security update 15 March 2007 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: php Publisher: Red Hat Operating System: Red Hat Enterprise Linux 5 Impact: Execute Arbitrary Code/Commands Access: Remote/Unauthenticated CVE Names: CVE-2007-1285 CVE-2007-0988 CVE-2007-0910 CVE-2007-0909 CVE-2007-0908 CVE-2007-0907 CVE-2007-0906 Ref: AA-2007.0005 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2007-0082.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - --------------------------------------------------------------------- Red Hat Security Advisory Synopsis: Important: php security update Advisory ID: RHSA-2007:0082-02 Advisory URL: https://rhn.redhat.com/errata/RHSA-2007-0082.html Issue date: 2007-03-13 Updated on: 2007-03-14 Product: Red Hat Enterprise Linux CVE Names: CVE-2007-0906 CVE-2007-0907 CVE-2007-0908 CVE-2007-0909 CVE-2007-0988 CVE-2007-0910 CVE-2007-1285 - - --------------------------------------------------------------------- 1. Summary: Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 3. Problem description: PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A number of buffer overflow flaws were found in the PHP session extension; the str_replace() function; and the imap_mail_compose() function. If very long strings were passed to the str_replace() function, an integer overflow could occur in memory allocation. If a script used the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker with access to a PHP application affected by any these issues could trigger the flaws and possibly execute arbitrary code as the 'apache' user. (CVE-2007-0906) When unserializing untrusted data on 64-bit platforms, the zend_hash_init() function could be forced into an infinite loop, consuming CPU resources for a limited time, until the script timeout alarm aborted execution of the script. (CVE-2007-0988) If the wddx extension was used to import WDDX data from an untrusted source, certain WDDX input packets could expose a random portion of heap memory. (CVE-2007-0908) If the odbc_result_all() function was used to display data from a database, and the database table contents were under an attacker's control, a format string vulnerability was possible which could allow arbitrary code execution. (CVE-2007-0909) A one byte memory read always occurs before the beginning of a buffer. This could be triggered, for example, by any use of the header() function in a script. However it is unlikely that this would have any effect. (CVE-2007-0907) Several flaws in PHP could allow attackers to "clobber" certain super-global variables via unspecified vectors. (CVE-2007-0910) An input validation bug allowed a remote attacker to trigger a denial of service attack by submitting an input variable with a deeply-nested-array. (CVE-2007-1285) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 5. Bug IDs fixed (http://bugzilla.redhat.com/): 229013 - CVE-2007-0906 PHP security issues (CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988) 231597 - CVE-2007-1285 PHP Variable Destructor Deep Recursion Stack Overflow 6. RPMs required: RHEL Desktop Workstation (v. 5 client): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/php-5.1.6-7.el5.src.rpm d346826e0a542ea5f6a0c21ec5c0de89 php-5.1.6-7.el5.src.rpm i386: a769b8752da878a65ad0991e5f35f1f3 php-5.1.6-7.el5.i386.rpm 26c852cd82b4a12e69fda6cc8a915ff2 php-bcmath-5.1.6-7.el5.i386.rpm 091678f9d2328099ef5e04fc97df370b php-cli-5.1.6-7.el5.i386.rpm d41ed2907aec10d018e934c0c24c3ef6 php-common-5.1.6-7.el5.i386.rpm 97be9e8c8bfd86eead518ca713160b09 php-dba-5.1.6-7.el5.i386.rpm 975b56045493472002d6f670adc77a9e php-debuginfo-5.1.6-7.el5.i386.rpm c5d05e5fc1b528ffdb140c9d6a6e273d php-devel-5.1.6-7.el5.i386.rpm 7d341380dc2fcbc68acb88c950e91aaa php-gd-5.1.6-7.el5.i386.rpm 269b687f020b595b6a9447a1c361c559 php-imap-5.1.6-7.el5.i386.rpm 34f13e8e682038c7b4523a1db3507b17 php-ldap-5.1.6-7.el5.i386.rpm 926de31a1232612a801e75ffda10a922 php-mbstring-5.1.6-7.el5.i386.rpm 60bf1b4f73996c34a2e2533925b58799 php-mysql-5.1.6-7.el5.i386.rpm ed479d680c6766b3f21a8ee3340c4cc6 php-ncurses-5.1.6-7.el5.i386.rpm 795129d527b17823d1b9ac0fb612a397 php-odbc-5.1.6-7.el5.i386.rpm 0c57393535d5823010d992dabcebe745 php-pdo-5.1.6-7.el5.i386.rpm 753ace56f59708f10e4ad03d466d0471 php-pgsql-5.1.6-7.el5.i386.rpm 31d5fe411fc3d13715c61da09e8a3b34 php-snmp-5.1.6-7.el5.i386.rpm 3778e27df82016b0726b54febaed59cb php-soap-5.1.6-7.el5.i386.rpm 9d091c7a236f7a3c465899ee787e94a8 php-xml-5.1.6-7.el5.i386.rpm b5d9236d70e76d14cac5acda60275d0c php-xmlrpc-5.1.6-7.el5.i386.rpm x86_64: 71badbd6e44d51cfba34a32a23cd95b2 php-5.1.6-7.el5.x86_64.rpm 960ae9a9d0e00cd547da7eec1955a5d9 php-bcmath-5.1.6-7.el5.x86_64.rpm c9d24ac66104b4d096acb6822fb9f8c6 php-cli-5.1.6-7.el5.x86_64.rpm 1cd6237e2d51c55c19d6d3b7e2f81f5e php-common-5.1.6-7.el5.x86_64.rpm b079b7af288906711ccd3bf02b1a0027 php-dba-5.1.6-7.el5.x86_64.rpm 84f7f59eaab122c2e147279cb2bb23b3 php-debuginfo-5.1.6-7.el5.x86_64.rpm 6c69af2c7ed239a43c518b272c6cd3c8 php-devel-5.1.6-7.el5.x86_64.rpm f2c4004d69f4eb094e80f5829fb33fc3 php-gd-5.1.6-7.el5.x86_64.rpm 26c944eb0a556ba0d6a634613b7f67bb php-imap-5.1.6-7.el5.x86_64.rpm eff06352104b02ccc24a85e68714a9e2 php-ldap-5.1.6-7.el5.x86_64.rpm 39592d7a4e4c48323ba426f48a56647d php-mbstring-5.1.6-7.el5.x86_64.rpm a5224c1cc1b10ebe5e4173e933ae5767 php-mysql-5.1.6-7.el5.x86_64.rpm d3c8038ca9e8ac81aab049a2147b50b7 php-ncurses-5.1.6-7.el5.x86_64.rpm 67e7ee807842e2c6963b0fe558b8f311 php-odbc-5.1.6-7.el5.x86_64.rpm c89b0119f58fd306ac673f338cc15b5f php-pdo-5.1.6-7.el5.x86_64.rpm 55338806427f9d63e7400410ab563198 php-pgsql-5.1.6-7.el5.x86_64.rpm b4c50e81b595e80ef9aa09f53c7c5eed php-snmp-5.1.6-7.el5.x86_64.rpm dd23b2ff36947c8bfe99e089837f664f php-soap-5.1.6-7.el5.x86_64.rpm 71ea5f61663fd7e3d5c344eb7bfdce9a php-xml-5.1.6-7.el5.x86_64.rpm 98ad623c7547160267c38608882c4109 php-xmlrpc-5.1.6-7.el5.x86_64.rpm Red Hat Enterprise Linux (v. 5 server): SRPMS: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/php-5.1.6-7.el5.src.rpm d346826e0a542ea5f6a0c21ec5c0de89 php-5.1.6-7.el5.src.rpm i386: a769b8752da878a65ad0991e5f35f1f3 php-5.1.6-7.el5.i386.rpm 26c852cd82b4a12e69fda6cc8a915ff2 php-bcmath-5.1.6-7.el5.i386.rpm 091678f9d2328099ef5e04fc97df370b php-cli-5.1.6-7.el5.i386.rpm d41ed2907aec10d018e934c0c24c3ef6 php-common-5.1.6-7.el5.i386.rpm 97be9e8c8bfd86eead518ca713160b09 php-dba-5.1.6-7.el5.i386.rpm 975b56045493472002d6f670adc77a9e php-debuginfo-5.1.6-7.el5.i386.rpm c5d05e5fc1b528ffdb140c9d6a6e273d php-devel-5.1.6-7.el5.i386.rpm 7d341380dc2fcbc68acb88c950e91aaa php-gd-5.1.6-7.el5.i386.rpm 269b687f020b595b6a9447a1c361c559 php-imap-5.1.6-7.el5.i386.rpm 34f13e8e682038c7b4523a1db3507b17 php-ldap-5.1.6-7.el5.i386.rpm 926de31a1232612a801e75ffda10a922 php-mbstring-5.1.6-7.el5.i386.rpm 60bf1b4f73996c34a2e2533925b58799 php-mysql-5.1.6-7.el5.i386.rpm ed479d680c6766b3f21a8ee3340c4cc6 php-ncurses-5.1.6-7.el5.i386.rpm 795129d527b17823d1b9ac0fb612a397 php-odbc-5.1.6-7.el5.i386.rpm 0c57393535d5823010d992dabcebe745 php-pdo-5.1.6-7.el5.i386.rpm 753ace56f59708f10e4ad03d466d0471 php-pgsql-5.1.6-7.el5.i386.rpm 31d5fe411fc3d13715c61da09e8a3b34 php-snmp-5.1.6-7.el5.i386.rpm 3778e27df82016b0726b54febaed59cb php-soap-5.1.6-7.el5.i386.rpm 9d091c7a236f7a3c465899ee787e94a8 php-xml-5.1.6-7.el5.i386.rpm b5d9236d70e76d14cac5acda60275d0c php-xmlrpc-5.1.6-7.el5.i386.rpm ia64: 59deca45db02df88f078a90d4b63a5e0 php-5.1.6-7.el5.ia64.rpm 78724383db37df0b5b6d3238d0546a4b php-bcmath-5.1.6-7.el5.ia64.rpm 35a4becee4cba77a326cb5065e518aac php-cli-5.1.6-7.el5.ia64.rpm 81211a5929b97c9b61f768ef7afa59fa php-common-5.1.6-7.el5.ia64.rpm a30941ed55d65041bd2fc02da0b4eec5 php-dba-5.1.6-7.el5.ia64.rpm 5303ed94098f13a8a73f616930a38bee php-debuginfo-5.1.6-7.el5.ia64.rpm 44c8d443ec2c792f7645492956795d8c php-devel-5.1.6-7.el5.ia64.rpm 956d3a5cfad2ced91d9abd53c2d54d2e php-gd-5.1.6-7.el5.ia64.rpm 7d1dc114f00391a3ed80b7abce52bd42 php-imap-5.1.6-7.el5.ia64.rpm c9f494abcaccb0dc69f5da39b5ef6e3c php-ldap-5.1.6-7.el5.ia64.rpm 54c5bf8b6188859ccf89bd8ee5f1479c php-mbstring-5.1.6-7.el5.ia64.rpm cdd50f81d23f0970cbf6676943024e27 php-mysql-5.1.6-7.el5.ia64.rpm 363ef052d679f52e52060596971d984e php-ncurses-5.1.6-7.el5.ia64.rpm 8e74366714aa43bca1ee3d7523e3308d php-odbc-5.1.6-7.el5.ia64.rpm a31e6f3cb40333d91cfea4cc1dc31be5 php-pdo-5.1.6-7.el5.ia64.rpm c8a9283cb3b466074f8e2b5b71695cf9 php-pgsql-5.1.6-7.el5.ia64.rpm 54b5685395b3e38507253f6fceb3ad7a php-snmp-5.1.6-7.el5.ia64.rpm 4fa28d4d0eea108631ae11dc24c507a7 php-soap-5.1.6-7.el5.ia64.rpm f3b3cf435a9a27ea4508508b52be5e51 php-xml-5.1.6-7.el5.ia64.rpm ba31d4201e6ba1c47a2be5d205ea320b php-xmlrpc-5.1.6-7.el5.ia64.rpm ppc: b1431b1febce8f6a0da1b706b3e4a65d php-5.1.6-7.el5.ppc.rpm f6a464c2ee63ce883b41b6bd06c2525d php-bcmath-5.1.6-7.el5.ppc.rpm 9c08683931c05da19969c88ed37dfa20 php-cli-5.1.6-7.el5.ppc.rpm 976bc9b3bef1c643d5f2bc4f4889263c php-common-5.1.6-7.el5.ppc.rpm 41f8e6c1d21bf2aaecbd5f99aef96fc8 php-dba-5.1.6-7.el5.ppc.rpm 7f78105c12345bd1d8df7189b94f4c39 php-debuginfo-5.1.6-7.el5.ppc.rpm 56718bdd1283ebcf7d8e482e9b4bb45e php-devel-5.1.6-7.el5.ppc.rpm a884ad0bb5c9ccddb2aa48e5ec84b0ea php-gd-5.1.6-7.el5.ppc.rpm 966418dde96d45630db83ab784a07b23 php-imap-5.1.6-7.el5.ppc.rpm d13978e5285271326934106918a6c272 php-ldap-5.1.6-7.el5.ppc.rpm d1e1122d2723ce66af63298629703d49 php-mbstring-5.1.6-7.el5.ppc.rpm 292b11fbcc67e277e0971758a55a60e1 php-mysql-5.1.6-7.el5.ppc.rpm 57763f1feff7a785191d5224a1ae9290 php-ncurses-5.1.6-7.el5.ppc.rpm aac7f53adff7b9173fc581be6809cedc php-odbc-5.1.6-7.el5.ppc.rpm 6aec0a62b0305cd4a887bb3d54b6ab91 php-pdo-5.1.6-7.el5.ppc.rpm 91a79293698ccafcea817a49576b6b1c php-pgsql-5.1.6-7.el5.ppc.rpm 8176898811a0e898bfb0158adcd1228f php-snmp-5.1.6-7.el5.ppc.rpm cd324c31c751ce87d5e2875811979d7e php-soap-5.1.6-7.el5.ppc.rpm 8374aaa3195e80cf03f21970aacdea06 php-xml-5.1.6-7.el5.ppc.rpm 1699a4cede424374f53db51a40d6c23f php-xmlrpc-5.1.6-7.el5.ppc.rpm s390x: b4a2955f08aa005731c012c813801d5b php-5.1.6-7.el5.s390x.rpm b56b3928b80aeabef61cbe3198e482d2 php-bcmath-5.1.6-7.el5.s390x.rpm 7443d3356b3d062889d44eab3863fc8a php-cli-5.1.6-7.el5.s390x.rpm 49c9eef065dbde46a4dd48cd074e004f php-common-5.1.6-7.el5.s390x.rpm d2cfd29995ce8dca7db53b85634dfe18 php-dba-5.1.6-7.el5.s390x.rpm a8d0842fc94886bfed462d5df2be7de1 php-debuginfo-5.1.6-7.el5.s390x.rpm 37d02d98287aa59b7ebd1dd5b2ea3f04 php-devel-5.1.6-7.el5.s390x.rpm 9efbd00b56547364d6ca50e8c1321d00 php-gd-5.1.6-7.el5.s390x.rpm 75932b10f243bace44feaad9370dd9a8 php-imap-5.1.6-7.el5.s390x.rpm 6f45228c38354873e0d6b72a371ff932 php-ldap-5.1.6-7.el5.s390x.rpm 2b4708e0e7d21060c57a84721d714c26 php-mbstring-5.1.6-7.el5.s390x.rpm 0b6d512aeb6489877db6aefaf0e2df09 php-mysql-5.1.6-7.el5.s390x.rpm 9f7f86b4d351f5bd2c44b909c0911c4c php-ncurses-5.1.6-7.el5.s390x.rpm d488c8e34ed2d15d4cd1d66e3757da0e php-odbc-5.1.6-7.el5.s390x.rpm 28628c46d048241cf3670b93309a364b php-pdo-5.1.6-7.el5.s390x.rpm 768215dba4ffd10112b7d31507898802 php-pgsql-5.1.6-7.el5.s390x.rpm 95755db467614b64b65531616206bb3e php-snmp-5.1.6-7.el5.s390x.rpm 48d2893c0e654f5973ca6588faa362d9 php-soap-5.1.6-7.el5.s390x.rpm 01ecda2d3055673ade18449218ca1995 php-xml-5.1.6-7.el5.s390x.rpm cac4acbde1d01621fe6bf9ca332e4ebc php-xmlrpc-5.1.6-7.el5.s390x.rpm x86_64: 71badbd6e44d51cfba34a32a23cd95b2 php-5.1.6-7.el5.x86_64.rpm 960ae9a9d0e00cd547da7eec1955a5d9 php-bcmath-5.1.6-7.el5.x86_64.rpm c9d24ac66104b4d096acb6822fb9f8c6 php-cli-5.1.6-7.el5.x86_64.rpm 1cd6237e2d51c55c19d6d3b7e2f81f5e php-common-5.1.6-7.el5.x86_64.rpm b079b7af288906711ccd3bf02b1a0027 php-dba-5.1.6-7.el5.x86_64.rpm 84f7f59eaab122c2e147279cb2bb23b3 php-debuginfo-5.1.6-7.el5.x86_64.rpm 6c69af2c7ed239a43c518b272c6cd3c8 php-devel-5.1.6-7.el5.x86_64.rpm f2c4004d69f4eb094e80f5829fb33fc3 php-gd-5.1.6-7.el5.x86_64.rpm 26c944eb0a556ba0d6a634613b7f67bb php-imap-5.1.6-7.el5.x86_64.rpm eff06352104b02ccc24a85e68714a9e2 php-ldap-5.1.6-7.el5.x86_64.rpm 39592d7a4e4c48323ba426f48a56647d php-mbstring-5.1.6-7.el5.x86_64.rpm a5224c1cc1b10ebe5e4173e933ae5767 php-mysql-5.1.6-7.el5.x86_64.rpm d3c8038ca9e8ac81aab049a2147b50b7 php-ncurses-5.1.6-7.el5.x86_64.rpm 67e7ee807842e2c6963b0fe558b8f311 php-odbc-5.1.6-7.el5.x86_64.rpm c89b0119f58fd306ac673f338cc15b5f php-pdo-5.1.6-7.el5.x86_64.rpm 55338806427f9d63e7400410ab563198 php-pgsql-5.1.6-7.el5.x86_64.rpm b4c50e81b595e80ef9aa09f53c7c5eed php-snmp-5.1.6-7.el5.x86_64.rpm dd23b2ff36947c8bfe99e089837f664f php-soap-5.1.6-7.el5.x86_64.rpm 71ea5f61663fd7e3d5c344eb7bfdce9a php-xml-5.1.6-7.el5.x86_64.rpm 98ad623c7547160267c38608882c4109 php-xmlrpc-5.1.6-7.el5.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0906 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0907 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0908 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0909 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0988 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0910 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1285 http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://www.redhat.com/security/team/contact/ Copyright 2007 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFF+BaNXlSAg2UNWIIRAhxfAJ9ip8A1CTLUML/z4PpO+CXcZMU0tQCgrosR pesgJ9SMJSFRFvqeJna4aPI= =k5xl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBRfigjih9+71yA2DNAQIyvgP/TetWQHSf5l4nwlSfHVRnE/7s+4uNanU3 j0aL5tIWqUZXssTYrgY2qhV4mkLoxkJtN8Iw401F2pmIFeiQOByMBG2ylhXsNuVG I+iyTVC/kQN/LpxdXt2emMOwwuKXvoFyFdR//w8BTWWc4bl3nFZoNlP46Cu2rrUh vGEMLJRKg74= =r4oe -----END PGP SIGNATURE-----