Fedora Legacy Test Update Notification: php

Wed Sep 29 10:19:26 UTC 2004

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2004-1868
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=1868
2004-09-29
- ---------------------------------------------------------------------

Name        : php
Versions    : 7.3: 4.1.2-7.3.9.legacy, 9: 4.2.2-17.5.legacy
Summary     : The PHP HTML-embedded scripting language.
Description : 
PHP is an HTML-embedded scripting language. PHP attempts to make it
easy for developers to write dynamically generated webpages. PHP also
offers built-in database integration for several commercial and
non-commercial database management systems, so writing a
database-enabled webpage with PHP is fairly simple. The most common
use of PHP coding is probably as a replacement for CGI scripts. The
mod_php module enables the Apache Web server to understand and process
the embedded PHP language in Web pages.

- ---------------------------------------------------------------------
Update Information:

Stefan Esser discovered a flaw when memory_limit is enabled in versions
of
PHP 4 before 4.3.8. If a remote attacker could force the PHP interpreter
to
allocate more memory than the memory_limit setting before script
execution
begins, then the attacker may be able to supply the contents of a PHP
hash
table remotely. This hash table could then be used to execute arbitrary
code as the 'apache' user. The Common Vulnerabilities and Exposures
project
(cve.mitre.org) has assigned the name CAN-2004-0594 to this issue.

This issue has a higher risk when PHP is running on an instance of
Apache
which is vulnerable to CAN-2004-0493. It may also be possible to exploit
this issue if using a non-default PHP configuration with the
"register_defaults" setting is changed to "On".

Stefan Esser discovered a flaw in the strip_tags function in versions of
PHP before 4.3.8. The strip_tags function is commonly used by PHP
scripts
to prevent Cross-Site-Scripting attacks by removing HTML tags from
user-supplied form data. By embedding NUL bytes into form data, HTML
tags
can in some cases be passed intact through the strip_tags function,
which
may allow a Cross-Site-Scripting attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0595 to
this issue.

- ---------------------------------------------------------------------
7.3 changelog:
* Sun Aug 01 2004 John Dalbec <jpdalbec at ysu.edu> 4.1.2-7.3.9.legacy

- - Added missing BuildRequires: flex mm-devel libtool

* Mon Jul 26 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
4.1.2-7.3.8.legacy

- - Added better security fix for CAN-2004-0594
- - Added fixes for various compiler warnings

* Thu Jul 15 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
4.1.2-7.3.7.legacy

- - Added security fix for CAN-2004-0594
- - Added security fix for CAN-2004-0595
- - Added a few more fixes
- - Added imap-devel BuildRequires

9 changelog:
* Tue Sep 28 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
4.2.2-17.5.legacy

- - Added flex and libtool to BuildRequires

* Mon Jul 26 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
4.2.2-17.4.legacy

- - Added better security fix for CAN-2004-0594

* Thu Jul 15 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
4.2.2-17.3.legacy

- - Added security fix for CAN-2004-0594
- - Added security fix for CAN-2004-0595
- - Added a few more fixes

- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedoralegacy.org/redhat/
(sha1sums)

384ee0d9afcac322cc2fd0597af0a8a9b8fa700c 
7.3/updates-testing/i386/php-4.1.2-7.3.9.legacy.i386.rpm
d47cd648c2b969b425af28654c5b6e1acc9161ed 
7.3/updates-testing/i386/php-devel-4.1.2-7.3.9.legacy.i386.rpm
637b17298eafb570399bd3128db0c1e222f93f18 
7.3/updates-testing/i386/php-imap-4.1.2-7.3.9.legacy.i386.rpm
26bff2604c3899cfcc3d34e119e5f293878ba50f 
7.3/updates-testing/i386/php-ldap-4.1.2-7.3.9.legacy.i386.rpm
ea9c70f1970de5ca0b379b21ce28c0dbc4f048c0 
7.3/updates-testing/i386/php-manual-4.1.2-7.3.9.legacy.i386.rpm
1179a9c43339097cd0c3f7dbfee4995e2853a105 
7.3/updates-testing/i386/php-mysql-4.1.2-7.3.9.legacy.i386.rpm
efd4323aff5c81817be4fc0a0a32a1e9c05c50c7 
7.3/updates-testing/i386/php-odbc-4.1.2-7.3.9.legacy.i386.rpm
f0cc7d94a1ea5422d3950975f8b75476ddb3ed70 
7.3/updates-testing/i386/php-pgsql-4.1.2-7.3.9.legacy.i386.rpm
666175913adda7b584821fe9fef7bfd20bf36e3d 
7.3/updates-testing/i386/php-snmp-4.1.2-7.3.9.legacy.i386.rpm
73eb5523a60a920cca612021eb7cc73bd487e319 
7.3/updates-testing/SRPMS/php-4.1.2-7.3.9.legacy.src.rpm
36beb0117341d9dae1d195195620a02f1802ab52 
9/updates-testing/i386/php-4.2.2-17.5.legacy.i386.rpm
d251cb7331596c4d634f1594a39feb688278847a 
9/updates-testing/i386/php-devel-4.2.2-17.5.legacy.i386.rpm
34bcc424439e2e8d260bb50c27d2dea26e664ef6 
9/updates-testing/i386/php-imap-4.2.2-17.5.legacy.i386.rpm
c1f15969980ac1911bb84d6744c2cfcdad296746 
9/updates-testing/i386/php-ldap-4.2.2-17.5.legacy.i386.rpm
ca252f411e06436c9578a3357cb8b6630a9cc85e 
9/updates-testing/i386/php-manual-4.2.2-17.5.legacy.i386.rpm
af4fea6f8e5321dc176061e7dbf32280f83a02d5 
9/updates-testing/i386/php-mysql-4.2.2-17.5.legacy.i386.rpm
81e8b1e2b55906710eb64413a17b5b9a5d3e9be7 
9/updates-testing/i386/php-odbc-4.2.2-17.5.legacy.i386.rpm
83546545b3af70aee72ba0da9196ad37cb872ead 
9/updates-testing/i386/php-pgsql-4.2.2-17.5.legacy.i386.rpm
d39845815418f09ff9b842dcb7e193a7cdd1736c 
9/updates-testing/i386/php-snmp-4.2.2-17.5.legacy.i386.rpm
fb8475b2292b5b84785b322773c723b5dc9a9eed 
9/updates-testing/SRPMS/php-4.2.2-17.5.legacy.src.rpm

- ---------------------------------------------------------------------

Please test and comment in bugzilla.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWovvLMAs/0C4zNoRAvRLAJ929em8OuLde4sIAGH9oG24QfqAcwCfQJ7J
e+vAJSWmo4Q5z2/SELxnVTI=
=hR+G
-----END PGP SIGNATURE-----