Advisories | Mandriva

Package name	php
Date	August 4th, 2003
Advisory ID	MDKSA-2003:082
Affected versions	8.2, 9.0, 9.1, MNF8.2, CS2.1
Synopsis	Updated php packages fix vulnerabilities

Problem Description

A vulnerability was discovered in the transparent session ID support
in PHP4 prior to version 4.3.2. It did not properly escape user-
supplied input prior to inserting it in the generated web page. This
could be exploited by an attacker to execute embedded scripts within
the context of the generated HTML (CAN-2003-0442).

As well, two vulnerabilities had not been patched in the PHP packages
included with Mandrake Linux 8.2: The mail() function did not filter
ASCII control filters from its arguments, which could allow an attacker
to modify the mail message content (CAN-2002-0986). Another
vulnerability in the mail() function would allow a remote attacker to
bypass safe mode restrictions and modify the command line arguments
passed to the MTA in the fifth argument (CAN-2002-0985).

All users are encouraged to upgrade to these patched packages.

Updated Packages

Mandrakelinux 8.2

 a7ba8429a705ba764be5be5baa5d8f92  8.2/RPMS/php-4.1.2-1.1mdk.i586.rpm
848bd3bb74b2fa3b24d9a1f05ca651c2  8.2/RPMS/php-common-4.1.2-1.1mdk.i586.rpm
3b94f6e3e8ba24fa5b71fa93e3d2eb25  8.2/RPMS/php-devel-4.1.2-1.1mdk.i586.rpm
465bdb929c9df6bb156b2910a2a21b98  8.2/SRPMS/php-4.1.2-1.1mdk.src.rpm

Mandrakelinux 8.2/PPC

 10fd0c4e0d65516654bee858d40b66af  ppc/8.2/RPMS/php-4.1.2-1.1mdk.ppc.rpm
d3f047831dc4b093eb30b8e343256207  ppc/8.2/RPMS/php-common-4.1.2-1.1mdk.ppc.rpm
96c4e2196b61066b6a57c013265ff612  ppc/8.2/RPMS/php-devel-4.1.2-1.1mdk.ppc.rpm
465bdb929c9df6bb156b2910a2a21b98  ppc/8.2/SRPMS/php-4.1.2-1.1mdk.src.rpm

Mandrakelinux 9.0

 758b1a556caf000d93413eb8c15753c4  9.0/RPMS/php-4.2.3-4.1mdk.i586.rpm
e1d95a181a57c88856f48171fd0d9cff  9.0/RPMS/php-common-4.2.3-4.1mdk.i586.rpm
60e292858ee79c53e429a141253fa388  9.0/RPMS/php-devel-4.2.3-4.1mdk.i586.rpm
5a1f0075209cb38b3fdba3eeaf785e25  9.0/RPMS/php-pear-4.2.3-4.1mdk.i586.rpm
e509b58e93bf56cac67ccc698db40f51  9.0/SRPMS/php-4.2.3-4.1mdk.src.rpm

Mandrakelinux 9.1

 6b619580c7746d6fb7de30e18ccbc8eb  9.1/RPMS/libphp_common430-430-11.1mdk.i586.rpm
2257ab6cab4132c3cb3d7194b24f385f  9.1/RPMS/php-cgi-4.3.1-11.1mdk.i586.rpm
eefa69b71480d00a111e7ad05f74576a  9.1/RPMS/php-cli-4.3.1-11.1mdk.i586.rpm
a60a59d10f0450b324f2b1b5562da780  9.1/RPMS/php430-devel-430-11.1mdk.i586.rpm
e5e4397440f44a88bec02fc10328c745  9.1/SRPMS/php-4.3.1-11.1mdk.src.rpm

Mandrakelinux 9.1/PPC

 6b619580c7746d6fb7de30e18ccbc8eb  ppc/9.1/RPMS/libphp_common430-430-11.1mdk.i586.rpm
2257ab6cab4132c3cb3d7194b24f385f  ppc/9.1/RPMS/php-cgi-4.3.1-11.1mdk.i586.rpm
eefa69b71480d00a111e7ad05f74576a  ppc/9.1/RPMS/php-cli-4.3.1-11.1mdk.i586.rpm
a60a59d10f0450b324f2b1b5562da780  ppc/9.1/RPMS/php430-devel-430-11.1mdk.i586.rpm
e5e4397440f44a88bec02fc10328c745  ppc/9.1/SRPMS/php-4.3.1-11.1mdk.src.rpm

Multi Network Firewall 8.2

 848bd3bb74b2fa3b24d9a1f05ca651c2  mnf8.2/RPMS/php-common-4.1.2-1.1mdk.i586.rpm
465bdb929c9df6bb156b2910a2a21b98  mnf8.2/SRPMS/php-4.1.2-1.1mdk.src.rpm

Corporate Server 2.1

 758b1a556caf000d93413eb8c15753c4  corporate/2.1/RPMS/php-4.2.3-4.1mdk.i586.rpm
e1d95a181a57c88856f48171fd0d9cff  corporate/2.1/RPMS/php-common-4.2.3-4.1mdk.i586.rpm
60e292858ee79c53e429a141253fa388  corporate/2.1/RPMS/php-devel-4.2.3-4.1mdk.i586.rpm
5a1f0075209cb38b3fdba3eeaf785e25  corporate/2.1/RPMS/php-pear-4.2.3-4.1mdk.i586.rpm
e509b58e93bf56cac67ccc698db40f51  corporate/2.1/SRPMS/php-4.2.3-4.1mdk.src.rpm

Corporate Server 2.1/X86_64

 5d16fe6239287e468dd75852cb43e6d3  x86_64/corporate/2.1/RPMS/php-4.2.3-4.1mdk.x86_64.rpm
d712ce373cd416f7e523dba8b0171ccc  x86_64/corporate/2.1/RPMS/php-common-4.2.3-4.1mdk.x86_64.rpm
51bd73c0704e20fac62d98e2380edb3e  x86_64/corporate/2.1/RPMS/php-devel-4.2.3-4.1mdk.x86_64.rpm
06ef571267aaa0a2e614873d888dbb63  x86_64/corporate/2.1/RPMS/php-pear-4.2.3-4.1mdk.x86_64.rpm
e509b58e93bf56cac67ccc698db40f51  x86_64/corporate/2.1/SRPMS/php-4.2.3-4.1mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0985
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0986

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.