|
|
Subscribe / Log in / New account

Fedora alert FEDORA-2008-2868 (mod_suphp)



From:
    	      updates@fedoraproject.org


To:
    	      fedora-package-announce@redhat.com


Subject:
    	      [SECURITY] Fedora 8 Update: mod_suphp-0.6.3-1.fc8


Date:
    	      Tue, 01 Apr 2008 21:38:33 +0000


Message-ID:
    	      <200804012145.m31LjPQS016718@bastion.fedora.phx.redhat.com>


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-2868
2008-04-01 21:13:48
--------------------------------------------------------------------------------

Name        : mod_suphp
Product     : Fedora 8
Version     : 0.6.3
Release     : 1.fc8
URL         : http://www.suphp.org/
Summary     : An apache2 module for executing PHP scripts with the permissions of their owners
Description :
suPHP is an apache module for executing PHP scripts with the permissions of
their owners. It consists of an Apache module (mod_suphp) and a setuid root
binary (suphp) that is called by the Apache module to change the uid of the
process executing the PHP interpreter.

Please take a look at /usr/share/doc/mod_suphp-0.6.3/README.fedora for
installation instructions.

--------------------------------------------------------------------------------
Update Information:

This update is a security update fixing two local privilege escalalation
problems.    mod_suphp 0.6.2 contains two race condition regarding symlink
checks. Using this attack vector a local attacker has the ability of changing
symlinks in the timeframe between the security check and the php execution
itself, leading suphp to execute code as another local user.    These have been
fixed in the 0.6.3 update with no further code changes being present making a
backport of the security fix unnecessary.
--------------------------------------------------------------------------------
ChangeLog:

--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #439687 - local privilege escalation problems through symlinks found in mod_suphp
        https://bugzilla.redhat.com/show_bug.cgi?id=439687
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update mod_suphp' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------

_______________________________________________
Fedora-package-announce mailing list
Fedora-package-announce@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-package-ann...
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds