Ubuntu alert USN-171-1 (php4)
| From: | Martin Pitt <martin.pitt@canonical.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-171-1] PHP4 vulnerabilities | |
| Date: | Sat, 20 Aug 2005 17:19:27 +0200 | |
| Cc: | full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com |
=========================================================== Ubuntu Security Notice USN-171-1 August 20, 2005 php4 vulnerabilities CAN-2005-1751, CAN-2005-1759, CAN-2005-2498 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: php4-dev php4-pear The problem can be corrected by upgrading the affected package to version 4:4.3.8-3ubuntu7.12 (for Ubuntu 4.10), or 4:4.3.10-10ubuntu4.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: CAN-2005-1751: The php4-dev package ships a copy of the "shtool" utility in /usr/lib/php4/build/, which provides useful functionality for developers of software packages. Eric Romang discovered that shtool created temporary files in an insecure manner. This could allow a symlink attack to create or overwrite arbitrary files with the privileges of the user invoking the shtool program. CAN-1005-1759: The creation of temporary files in shtool was also vulnerable to a race condition which allowed a local user to read the contents of the temporary file. However, this file does not usually contain sensitive information since shtool is usually used for building software packages. CAN-2005-2498: Stefan Esser discovered another remote code execution vulnerability in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server's privileges. In Ubuntu, the PEAR extension is unsupported (it is contained in the php4-pear package which is part of universe). However, since this is a highly critical vulnerability, that package was fixed anyway. Please note that many applications contain a copy of the affected XMLRPC code, which must be fixed separately. The following packages may also be affected, but are unsupported in Ubuntu: - drupal - wordpress - phpwiki - horde3 - ewiki - egroupware - phpgroupware These packages might be fixed by the community later. The following common third party applications might be affected as well, but not packaged for Ubuntu: - Serendipity - Postnuke - tikiwiki - phpwebsite If you run any affected software, please check whether you are affected and upgrade it as soon as possible to protect your server. Updated packages for Ubuntu 4.10 (Warty Warthog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4... Size/MD5: 619956 b942641e9913c33c45dc2720c333506c http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4... Size/MD5: 1626 3cddc95478a05c39184d4f5ead0723c0 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4... Size/MD5: 4832570 dd69f8c89281f088eadf4ade3dbd39ee Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-d... Size/MD5: 332564 95ce0fa0fd48b11b3a20fd392add2872 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 334362 c7a18f4b7f189ffe5a79bf26ae69eb4f amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapa... Size/MD5: 1689490 f6b25fe36d705123a006accd03a15260 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 3198538 087fc11b8bc62c724982d43c3e64cacd http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 17278 109bc4aeac330dbe209ab99df12d20ac http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 40424 9fe1d43f624351fc44b0a4dd529ab588 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 33492 2c4ee95d7454aeea7f2eff287dd16b91 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 21224 0fb1e939ed9e53c95830d9773782a21d http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 18400 a45863c022f92d266484fe8965d0cb81 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 7990 bdfe31bc8f0e919be4479afd55e16c11 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 23106 2e0a26ba5588b1518e4aa1fc0a1172d9 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 28324 f76b5db03e1dfe2e682f766f6ac147e2 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 7610 185a4b1a98878f4010d33c1151d9481a http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 12972 b53b0a75b33af55905073b264cab65b6 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 21508 3742d474a9d1cbc66ff30baab226f6cd http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 17248 394065d79e955874e00e6ae12341c912 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 1705318 86fc5ddf8ce60431976830bccc4aad74 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapa... Size/MD5: 1631304 f3dce1bbd822a70340d4de91d5df8a3c http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 3044644 1c7537ff2fde35ea7141ea369793662b http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 16850 f8b9399e480b6d37385c1ba2ed09b93e http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 35556 8275023558c4ba34cc3230218c98d878 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 31070 4a3ec12b413a7f991043145d3473ec78 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 19470 ac5907114a65b953dd6bb41d84a80704 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 17050 4ce092784dfccaf146b8bb73f82e688b http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 7742 eb3796d4842e5c39305638b4bfbe2050 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 20896 190628d64cef6fbc2def8e9fb031e880 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 26062 d52373de97726f44bf79c989c8695f4d http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 7374 fbddc0ced72a194fd9900d62033fd030 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 12318 27361612985cdcc58d0675670b752442 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 20008 e7f12e5b50d6cc17cb723383038cb75f http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 15880 eb4c12b6db5b48938d9e3c5707bd9ff0 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 1645926 79d62a8bdf2de62eec0871b6c61097d8 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapa... Size/MD5: 1691222 7ddb16a5251c418b85917618d122e42f http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 3204028 025ba59182698c7049b5a790497f8e3b http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 19078 06c8bd24c643b6e6f56a1c6bb102badc http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 38276 dd793a16b7efc933e34ef2ac241d9030 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 33998 3834805c11e0118b6cbb58d1a55a993e http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 21472 9ecdb8b441b9743e0c72fa6ddc497738 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 19308 2e3a2b6533e4bdf572bb6229bbea2fcd http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 9324 6204820aea597b22324781f56df430a6 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 22684 dafbab9d26cc64d8aa896d72d18349b9 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 28402 d613a7af30916accf0c3a66f04f02d5e http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 9000 03bb1e5cb6342eb1e03b9a53b14f652a http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 14326 0844d71f3a6e8fabc05ee98c4380d31c http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 22188 79458c6b23d9117e0211764afdfb80f8 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 18060 b3ad8c635322b1cdb4b63625636d5fcd http://security.ubuntu.com/ubuntu/pool/universe/p/php4/ph... Size/MD5: 1709208 9db0caee4eaaf2f95b5e2b74426526bb Updated packages for Ubuntu 5.04 (Hoary Hedgehog): Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4... Size/MD5: 270169 a3fa2007c18bfe8c23cf92d6c0577ebd http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4... Size/MD5: 1469 fa6151a4adff7eacbe1e96b6de7f0a5c http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4... Size/MD5: 4892209 73f5d1f42e34efa534a09c6091b5a21e http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 273060 700580024b4adec8647ded8d33282da5 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 1669 2bfca325a1691a339924c836897cc094 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 4892209 73f5d1f42e34efa534a09c6091b5a21e Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4... Size/MD5: 1122 d93fcc372a5bf485b00e098a289fd32a http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 250142 b6938e6f57a51744ed882b3cb89cb204 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapa... Size/MD5: 1656718 24fd906522e48f3b2296d5abb450b858 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 3271964 0607b8c40b19c1704a6d30a32d50960c http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 1647002 3f94ffddb908fe79aacaef23e87bb3b9 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 166690 029e54a0d3f9c9f8921b9b5e2e3467bb http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-d... Size/MD5: 348246 488c4ba66bf36ccfae3370cb90307556 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 1659038 30b449e971cf668a56889af68ba4f7af http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 17808 d9c36d647d073082406d0dbfdf03f094 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 40784 cb92a37c8cb19bdbe2496d290eb5c964 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 34262 c5c5f8bbb59a35789f8bffd3941e442d http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 37630 79abf65b4550be1ee637e351a126a0a9 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 21384 0b95117794a4e68c7f9936f84cf20006 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 18866 fdf4f371975666948f946ec303e1a23b http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 8226 1d46bef2991d5ea9ae52b5efe0591f5f http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 23518 1138ce4597f8072631bc6bf5cd204045 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 28764 2972d3aeecf79d6b750fd53cc6793295 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 7900 36a02cf2f59749ddc54f13a3c68a71e3 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 13656 bd9efefdf5f81c3376ee308ee498854e http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 22424 7b0e3ff4a71e2ea45b136b4b5115552d http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 124522 516012efc99b7543549bd63817b328b9 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 17554 9aaab4fd82572f7b5b12cffc57f1a374 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapa... Size/MD5: 1591190 6611078f42049b6e339cfd072d04d458 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 3166420 6ffb0f30d740161254412d91baee7c61 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 1591092 e19d5b9416ed435e40a2c48391e8f76f http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 166694 eafca3da296704a81acf3750dd35cfa9 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-d... Size/MD5: 348266 77c02e23bffa733db5a99c84c7a5df64 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 1592414 bfbfdcc8cbb301abb4b0c906d1b22a89 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 17366 2c775e36ce662d92bdd5ace794656fc8 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 35924 5726a75843f400c0fd1a2b5063cfeebe http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 31610 11eb684918774e29714e7ad755952786 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 36218 f10347dfeb94cf27e603070df274491d http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 19620 3e0ead06e30ea25f04a77f38c8279e41 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 17404 31eac70c0515db40aa45e5bb2460b1e0 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 7988 12b4baead6800909e38e3cbfb58ee115 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 21254 f8b36077aea6a823248deb20375c002e http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 26380 39d27cbd232d8a44c9b22b1ab546ce02 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 7630 1c3e2917243315ae9771111d35d9fc0c http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 12962 90c9c0437125dbe9ad6024b6f20e2e94 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 20820 f70222b439ffbcc0a40a9d4f53ef19ce http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 124528 a95427c78b914b94317cbc97d20b6ce2 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 16128 461d50e1ab2323b8c03881373b07d8c9 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapa... Size/MD5: 1657242 ef6664a5d222177e6d68ab5bcb8d4502 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 3276244 603dd007371598c4921bc6d91a97176b http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 1645330 8cf216e156f89cd78b846d26ac91cea9 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-c... Size/MD5: 166696 c97638aea2378c4531f07271d4225fd3 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-d... Size/MD5: 348234 d9ceb1103ff6b077f0b80fa781299448 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 1659166 cb7fdd9ad0dfa3222d46a730157caec7 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 19624 b2219139b63c1ccab8bd4581d6dbcd60 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 38640 b14e441551f10603f35f8bf16ccf44cb http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 34510 dce20b2c42509c39baec16f899cb183c http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 37686 aa879a8b01919a707f29cb98effdd167 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 21390 566d0238c7078cf4db91c8830afba268 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 19712 64c2046ad82b39f7b9bb8623ef626831 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 9562 e26458125e3562491635d634717da0a6 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 23018 d56abfbd3a522c545dd0cb152404fa71 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 28662 3322e0cbb74e4e8a75ac228efd6f5778 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 9266 f1c1a14647e88ae628038024c9fc157f http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 14954 79efcc2880ee0077c7775d0f452f9c67 http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 23048 a24aa816d2bf9e186866313f9d8ffa5d http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 124534 44ad9243e0e3286dd7c5c74c758af53d http://security.ubuntu.com/ubuntu/pool/universe/p/php4-un... Size/MD5: 18258 6f8b95f9bd851b9c3e3c93af6277cf67 -- ubuntu-security-announce mailing list ubuntu-security-announce@lists.ubuntu.com http://lists.ubuntu.com/mailman/listinfo/ubuntu-security-...