Slackware 2004-154-02: Critical PHP Local Attack Security Advisory
slackware
June 2, 2004
New PHP packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix a security issue
Summary
Here are the details from the Slackware 9.1 ChangeLog: Wed Jun 2 11:28:17 PDT 2004 patches/packages/php-4.3.6-i486-1.tgz: Upgraded to php-4.3.6. This is compiled with c-client.a in /usr/local/lib/c-client/ to fix a problem in previous php packages where linking against the library in a path under /tmp caused an ELF rpath to this location to be built into the PHP binaries. A local attacker could (by placing shared libraries in this location) either crash PHP or cause arbitrary code to be executed as the PHP user (typically "nobody"). Thanks to Bryce Nichols for discovering this issue and bringing it to my attention. (* Security fix *)
Topics Covered
Where Find New Packages
Updated package for Slackware 8.1:
Updated package for Slackware 9.0:
Updated package for Slackware 9.1:
Updated package for Slackware -current:
MD5 Signatures
Slackware 8.1 package:
cee32e839211a37b0081615b4112b87f php-4.3.6-i386-1.tgz
Slackware 9.0 package:
eaa0c69981f0aa8cc6b2d4ef0269481c php-4.3.6-i386-1.tgz
Slackware 9.1 package:
007c48e42d292819b6cdc66e2e8334e0 php-4.3.6-i486-1.tgz
Slackware -current package:
07bcba5e37538f16941141c43006cec1 php-4.3.6-i486-4.tgz
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Installation Instructions
Installation instructions: First, stop apache: # apachectl stop Next, upgrade the PHP package as root: # upgradepkg php-4.3.6-i486-1.tgz Finally, restart apache: # apachectl start Or, if you're running a secure server with mod_ssl: # apachectl startssl
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!