Debian alert: New version of Debian php4 packages released

Posted by dave on Oct 13, 2000 11:36 PM EDT
Mailing list
Mail this story
Print this story

In versions of the PHP 4 packages before version 4.0.3, several format string bugs could allow properly crafted requests to execute code as the user running PHP scripts on the web server.

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------
Debian Security Advisory                                 security@debian.org
http://www.debian.org/security/                            Daniel Jacobowitz
October 14, 2000
- ----------------------------------------------------------------------------

Package: php4
Vulnerability: possible remote exploit
Debian-specific: no
Vulnerable: yes

In versions of the PHP 4 packages before version 4.0.3, several format
string bugs could allow properly crafted requests to execute code as the
user running PHP scripts on the web server.

This problem is fixed in versions 4.0.3-0potato1 for Debian 2.2 (potato) and 
4.0.3-1 for Debian Unstable (woody).  This is a bug fix release and we recommend
all users of php4 upgrade to it; potato users should note that this is an
upgrade from 4.0b3, but no incompatibilities are expected.

Debian GNU/Linux 2.1 alias slink
- --------------------------------

  Slink does not contain any php4 packages, and is therefore not affected.

Debian GNU/Linux 2.2 (stable) alias potato
- ------------------------------------------

  Fixes are currently available for the Alpha, Intel ia32, Motorola 680x0,
  PowerPC and Sun SPARC architectures, and will be included in 2.2r1.

  Source archives:
    http://security.debian.org/dists/potato/php4_4.0.3-0potato1.diff.gz
      MD5 checksum: a4a9ce00f9b85966521fccf91c20b1fe
    http://security.debian.org/dists/potato/php4_4.0.3-0potato1.dsc
      MD5 checksum: 26e0cc7624981b4872e104b62151c4b1
    http://security.debian.org/dists/potato/php4_4.0.3.orig.tar.gz
      MD5 checksum: e80223ed44a445bbf202cd9a41a8fbbb

  Architecture indendent archives:
    http://security.debian.org/dists/potato/php4-dev_4.0.3-0potato1_all.deb
      MD5 checksum: 04b2040609b61c7c2ad391a23450ec66

  Alpha architecture:
    http://security.debian.org/dists/potato/php4-cgi-gd_4.0.3-0potato1_alpha.deb
      MD5 checksum: d3fe7fef73c4b598a81fa2190d0c9eb5
    http://security.debian.org/dists/potato/php4-cgi-imap_4.0.3-0potato1_alpha.deb
      MD5 checksum: 1231668e5b49c44ec5aa1cf6260537ba
    http://security.debian.org/dists/potato/php4-cgi-ldap_4.0.3-0potato1_alpha.deb
      MD5 checksum: 7cbe170c8dc9d1692b5e3a59f225dc35
    http://security.debian.org/dists/potato/php4-cgi-mhash_4.0.3-0potato1_alpha.deb
      MD5 checksum: d41ac1166ace253daa79da899b60f1d2
    http://security.debian.org/dists/potato/php4-cgi-mysql_4.0.3-0potato1_alpha.deb
      MD5 checksum: 7ce535f98712a5b925e0e0c939623395
    http://security.debian.org/dists/potato/php4-cgi-pgsql_4.0.3-0potato1_alpha.deb
      MD5 checksum: 49fa22bbd37e6da2b42f2988c34f062f
    http://security.debian.org/dists/potato/php4-cgi-snmp_4.0.3-0potato1_alpha.deb
      MD5 checksum: 3c8ae9b6caff94e3cfe9396929678ea8
    http://security.debian.org/dists/potato/php4-cgi-xml_4.0.3-0potato1_alpha.deb
      MD5 checksum: b6b109a24e81a346cae7ede4acb7b8d6
    http://security.debian.org/dists/potato/php4-cgi_4.0.3-0potato1_alpha.deb
      MD5 checksum: f9dfaf4d72f9fd72684a6c1ef70e88f0
    http://security.debian.org/dists/potato/php4-gd_4.0.3-0potato1_alpha.deb
      MD5 checksum: d738d12da802f8335c367c9c74f84702
    http://security.debian.org/dists/potato/php4-imap_4.0.3-0potato1_alpha.deb
      MD5 checksum: 93171ea93342cd4818cc2e470bf755dd
    http://security.debian.org/dists/potato/php4-ldap_4.0.3-0potato1_alpha.deb
      MD5 checksum: a566dcef79feaa5835bac1fdf25447c9
    http://security.debian.org/dists/potato/php4-mhash_4.0.3-0potato1_alpha.deb
      MD5 checksum: 10bbe8213e8016321c1c39dfa4c71d00
    http://security.debian.org/dists/potato/php4-mysql_4.0.3-0potato1_alpha.deb
      MD5 checksum: 82eaa050345ebb04183ba54cb91d1dd3
    http://security.debian.org/dists/potato/php4-pgsql_4.0.3-0potato1_alpha.deb
      MD5 checksum: 7756b53bd8889e76bb53ee200efa762a
    http://security.debian.org/dists/potato/php4-snmp_4.0.3-0potato1_alpha.deb
      MD5 checksum: 8768e4ac8a49fcd8fb93a39565ba9f6b
    http://security.debian.org/dists/potato/php4-xml_4.0.3-0potato1_alpha.deb
      MD5 checksum: 1766704f4c160d70bbc8ceabbacb0485
    http://security.debian.org/dists/potato/php4_4.0.3-0potato1_alpha.deb
      MD5 checksum: ab46675a4746fb9c6d98d41f69d6c39d

  Intel ia32 architecture:
    http://security.debian.org/dists/potato/php4-cgi-gd_4.0.3-0potato1_i386.deb
      MD5 checksum: 950b8d77cabb51fa3fee93f542923b22
    http://security.debian.org/dists/potato/php4-cgi-imap_4.0.3-0potato1_i386.deb
      MD5 checksum: 4a1b39e86058ddef899ea7e30c165997
    http://security.debian.org/dists/potato/php4-cgi-ldap_4.0.3-0potato1_i386.deb
      MD5 checksum: f7ff7751166164afee9f213f088fd293
    http://security.debian.org/dists/potato/php4-cgi-mhash_4.0.3-0potato1_i386.deb
      MD5 checksum: 353afa5861d49ccc6c2d2fd3dafad21d
    http://security.debian.org/dists/potato/php4-cgi-mysql_4.0.3-0potato1_i386.deb
      MD5 checksum: 3d1336623f1e32d42efbb32097e50517
    http://security.debian.org/dists/potato/php4-cgi-pgsql_4.0.3-0potato1_i386.deb
      MD5 checksum: fcb4d91a0400a4a9f7e9f97b95a82efd
    http://security.debian.org/dists/potato/php4-cgi-snmp_4.0.3-0potato1_i386.deb
      MD5 checksum: d9c7aecfa1f2976f416936333d263323
    http://security.debian.org/dists/potato/php4-cgi-xml_4.0.3-0potato1_i386.deb
      MD5 checksum: fdf4a7f0a185a9ca340378e6dbb982f7
    http://security.debian.org/dists/potato/php4-cgi_4.0.3-0potato1_i386.deb
      MD5 checksum: 5050b7fc859f50621a0d54922832c2f1
    http://security.debian.org/dists/potato/php4-gd_4.0.3-0potato1_i386.deb
      MD5 checksum: 10c0fa0f35e0527f3e2cd1b5b6602ab6
    http://security.debian.org/dists/potato/php4-imap_4.0.3-0potato1_i386.deb
      MD5 checksum: b411fb51803d7a96ad5eec056de9a41f
    http://security.debian.org/dists/potato/php4-ldap_4.0.3-0potato1_i386.deb
      MD5 checksum: 341d2bebc353f2ac4948a41d8b3fdb8c
    http://security.debian.org/dists/potato/php4-mhash_4.0.3-0potato1_i386.deb
      MD5 checksum: f6d0465fc1c25d4deecd15dd5e60927b
    http://security.debian.org/dists/potato/php4-mysql_4.0.3-0potato1_i386.deb
      MD5 checksum: a521a0332ee5c2ff325789c21c9bcc60
    http://security.debian.org/dists/potato/php4-pgsql_4.0.3-0potato1_i386.deb
      MD5 checksum: 979ffc72564dcd02dae7bb2d97f73bbc
    http://security.debian.org/dists/potato/php4-snmp_4.0.3-0potato1_i386.deb
      MD5 checksum: 3a174bf266dec089aba50049090fc518
    http://security.debian.org/dists/potato/php4-xml_4.0.3-0potato1_i386.deb
      MD5 checksum: 94ac2a5dbb47e4cf86c95579cff37320
    http://security.debian.org/dists/potato/php4_4.0.3-0potato1_i386.deb
      MD5 checksum: ac2b7d167760365d1143caa0483ca9d8

  Motorola 680x0 architecture:
    http://security.debian.org/dists/potato/php4-cgi-gd_4.0.3-0potato1_m68k.deb
      MD5 checksum: cf953a514fc74d16330a5fd61ca6f1d2
    http://security.debian.org/dists/potato/php4-cgi-imap_4.0.3-0potato1_m68k.deb
      MD5 checksum: 54a1330b08760e2105a297652262b5f0
    http://security.debian.org/dists/potato/php4-cgi-ldap_4.0.3-0potato1_m68k.deb
      MD5 checksum: 3e589a6b10fd4c5b8cf0bcc823e1c136
    http://security.debian.org/dists/potato/php4-cgi-mhash_4.0.3-0potato1_m68k.deb
      MD5 checksum: 0bee1f3abd78718cd2ccc48862cd62d3
    http://security.debian.org/dists/potato/php4-cgi-mysql_4.0.3-0potato1_m68k.deb
      MD5 checksum: 8dc08d54bed91db40dce3d66f3ec4515
    http://security.debian.org/dists/potato/php4-cgi-pgsql_4.0.3-0potato1_m68k.deb
      MD5 checksum: 1b61adc8cf8f0a9782057d622aedcedf
    http://security.debian.org/dists/potato/php4-cgi-snmp_4.0.3-0potato1_m68k.deb
      MD5 checksum: 0ba4613f858af4679d28bac799d9381d
    http://security.debian.org/dists/potato/php4-cgi-xml_4.0.3-0potato1_m68k.deb
      MD5 checksum: 60047aecb794b0988e6834ad51991e6c
    http://security.debian.org/dists/potato/php4-cgi_4.0.3-0potato1_m68k.deb
      MD5 checksum: c50c7ea097c5ba876de023f519582c3b
    http://security.debian.org/dists/potato/php4-gd_4.0.3-0potato1_m68k.deb
      MD5 checksum: 5fd8393cd6d3bb17c5a0cb91846c3c4e
    http://security.debian.org/dists/potato/php4-imap_4.0.3-0potato1_m68k.deb
      MD5 checksum: 1f1fc4b0822bebf7fc1c8832066cce2d
    http://security.debian.org/dists/potato/php4-ldap_4.0.3-0potato1_m68k.deb
      MD5 checksum: de194dfccf9acbe7acf674949bd306c9
    http://security.debian.org/dists/potato/php4-mhash_4.0.3-0potato1_m68k.deb
      MD5 checksum: 2329a5ee7ad19c0a791923fddb8a35c1
    http://security.debian.org/dists/potato/php4-mysql_4.0.3-0potato1_m68k.deb
      MD5 checksum: 9a9ada8c95f121ab1ae7b9137990e54b
    http://security.debian.org/dists/potato/php4-pgsql_4.0.3-0potato1_m68k.deb
      MD5 checksum: a2b7f9d325021b55c3f33e8744b91793
    http://security.debian.org/dists/potato/php4-snmp_4.0.3-0potato1_m68k.deb
      MD5 checksum: 3892fc2afd953838847d38a1787dd289
    http://security.debian.org/dists/potato/php4-xml_4.0.3-0potato1_m68k.deb
      MD5 checksum: 94fa954c37a23af00976b231bf1fd4f6
    http://security.debian.org/dists/potato/php4_4.0.3-0potato1_m68k.deb
      MD5 checksum: ca8ff47ba9b93365b9d05ba397b02608

  PowerPC architecture:
    http://security.debian.org/dists/potato/php4-cgi-gd_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 77f491b502259bba05cbe3a0ee1366f3
    http://security.debian.org/dists/potato/php4-cgi-imap_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 920705ee0db58017de6a45e3343e9903
    http://security.debian.org/dists/potato/php4-cgi-ldap_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 89a30a1bdba82ab3b97c4a15d592b9e0
    http://security.debian.org/dists/potato/php4-cgi-mhash_4.0.3-0potato1_powerpc.deb
      MD5 checksum: dea22760f061bea67e95336b145965f6
    http://security.debian.org/dists/potato/php4-cgi-mysql_4.0.3-0potato1_powerpc.deb
      MD5 checksum: a62c51d74bf005ac33aef5f20976a26c
    http://security.debian.org/dists/potato/php4-cgi-pgsql_4.0.3-0potato1_powerpc.deb
      MD5 checksum: e8594ffbda40270ce33510307cd2b8c9
    http://security.debian.org/dists/potato/php4-cgi-snmp_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 5f463d50289c4d73085a1c06317b2d0c
    http://security.debian.org/dists/potato/php4-cgi-xml_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 67a88882315b6a80e52066b15a5430f1
    http://security.debian.org/dists/potato/php4-cgi_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 562d0f98df13c64446b5f9157b164890
    http://security.debian.org/dists/potato/php4-gd_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 5cd5a5c626174e945804a9eeb78b357b
    http://security.debian.org/dists/potato/php4-imap_4.0.3-0potato1_powerpc.deb
      MD5 checksum: b79798b045e33f1633948b3f9187fd17
    http://security.debian.org/dists/potato/php4-ldap_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 46d1767444a584cc5857fcf4ad69c1d7
    http://security.debian.org/dists/potato/php4-mhash_4.0.3-0potato1_powerpc.deb
      MD5 checksum: c885eb618264bbd7ed40182176c9a627
    http://security.debian.org/dists/potato/php4-mysql_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 4761cb89398d57b0faffd8266775c008
    http://security.debian.org/dists/potato/php4-pgsql_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 5caecc8f2ab14ea88f18be1e28158113
    http://security.debian.org/dists/potato/php4-snmp_4.0.3-0potato1_powerpc.deb
      MD5 checksum: 644c612dc6311f8fb1eaa7a7e5292341
    http://security.debian.org/dists/potato/php4-xml_4.0.3-0potato1_powerpc.deb
      MD5 checksum: f8de34081f2cd5a7373eb441b797d3df
    http://security.debian.org/dists/potato/php4_4.0.3-0potato1_powerpc.deb
      MD5 checksum: eb844ebce5c2674c0981295d0992d9ff

  Sun Sparc architecture:
    http://security.debian.org/dists/potato/php4-cgi-gd_4.0.3-0potato1_sparc.deb
      MD5 checksum: d467f114370d358e0a02ea1de2495b4e
    http://security.debian.org/dists/potato/php4-cgi-imap_4.0.3-0potato1_sparc.deb
      MD5 checksum: fb9d8131160fd7915bd1e2c700662323
    http://security.debian.org/dists/potato/php4-cgi-ldap_4.0.3-0potato1_sparc.deb
      MD5 checksum: 9eed208d160ba83cab07a99d83448800
    http://security.debian.org/dists/potato/php4-cgi-mhash_4.0.3-0potato1_sparc.deb
      MD5 checksum: a90eb840733313cc4daf1e57f3cddf63
    http://security.debian.org/dists/potato/php4-cgi-mysql_4.0.3-0potato1_sparc.deb
      MD5 checksum: ee479f23bad040b9fa4fc960bb0998b8
    http://security.debian.org/dists/potato/php4-cgi-pgsql_4.0.3-0potato1_sparc.deb
      MD5 checksum: 6339a967c077b4eae3cf32974657759c
    http://security.debian.org/dists/potato/php4-cgi-snmp_4.0.3-0potato1_sparc.deb
      MD5 checksum: 2cda52b681eb985958135434edeb5ae6
    http://security.debian.org/dists/potato/php4-cgi-xml_4.0.3-0potato1_sparc.deb
      MD5 checksum: 756fa42bf5d0af442291efa6ad719b38
    http://security.debian.org/dists/potato/php4-cgi_4.0.3-0potato1_sparc.deb
      MD5 checksum: f4dbb48a2c0c904d3180e4699426f20a
    http://security.debian.org/dists/potato/php4-gd_4.0.3-0potato1_sparc.deb
      MD5 checksum: 90f994f67c2a0a902a16aeb2acac9556
    http://security.debian.org/dists/potato/php4-imap_4.0.3-0potato1_sparc.deb
      MD5 checksum: 17997e09572e612f4fc3d0aad8b74fe8
    http://security.debian.org/dists/potato/php4-ldap_4.0.3-0potato1_sparc.deb
      MD5 checksum: a9985cd2954c5d44d6e7a57d717c0097
    http://security.debian.org/dists/potato/php4-mhash_4.0.3-0potato1_sparc.deb
      MD5 checksum: 49aa1c86cb9ec06c17bc2d727b75e1b0
    http://security.debian.org/dists/potato/php4-mysql_4.0.3-0potato1_sparc.deb
      MD5 checksum: bac338543482d242d1c5cd936690eb1f
    http://security.debian.org/dists/potato/php4-pgsql_4.0.3-0potato1_sparc.deb
      MD5 checksum: 5f8ff8caf9086525012db9234a94ff8c
    http://security.debian.org/dists/potato/php4-snmp_4.0.3-0potato1_sparc.deb
      MD5 checksum: 5d20c6b5fce5bbeb04a422a7ee3cbadd
    http://security.debian.org/dists/potato/php4-xml_4.0.3-0potato1_sparc.deb
      MD5 checksum: e0360986406d5f566356f0389bd338dc
    http://security.debian.org/dists/potato/php4_4.0.3-0potato1_sparc.deb
      MD5 checksum: c25c1000ce84068fb5ae3b0c36a2c154

Debian GNU/Linux Unstable alias woody
- -------------------------------------

  This version of Debian is not yet released.

  Fixes are currently available for Alpha and Intel ia32 in the Debian
  archives; fixes for other architectures will be made available shortly.

- ----------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
Mailing list: debian-security-announce@lists.debian.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBOegMiz5fjwqn/34JAQFrIwP+J/lSvsEBHLeyoBmvb4N3jdOfTP9xFc9w
o6riZja3sZbN0czxqayKpD0BmJf6safDUR9+8RWuk/eDHtq6whoGiC7t1V6yY/uI
iO7/5GV3V7zUzXj1Dldq+Wj3ZnUXfFFJuWXZAA1LWcIOcHpvcmOtJdc+AIstHbF5
wSGuzAhqxTc=
=YUWr
-----END PGP SIGNATURE-----


  Nav
» Read more about: Story Type: Security; Groups: Debian

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.