-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: php4,php5
Announcement ID: SUSE-SA:2006:052
Date: Thu, 21 Sep 2006 12:00:00 +0000
Affected Products: Novell Linux POS 9
Open Enterprise Server
SLE SDK 10
SUSE LINUX 10.1
SUSE LINUX 10.0
SUSE LINUX 9.3
SUSE LINUX 9.2
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SUSE LINUX Retail Solution 8
SuSE Linux School Server
SuSE Linux Standard Server 8
SUSE SLES 10
SUSE SLES 9
UnitedLinux 1.0
Vulnerability Type: remote code execution
Severity (1-10): 5
SUSE Default Package: no
Cross-References: CVE-2006-2563, CVE-2006-4020, CVE-2006-4481
CVE-2006-4482, CVE-2006-4483, CVE-2006-4484
Content of This Advisory:
1) Security Vulnerability Resolved:
php4 and php5 security problems
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
Various security problems have been fixed in the PHP script
language engine and its modules, versions 4 and 5.
The PHP4 updated packages were released on September 12, the PHP5
update packages were released on September 20.
The following security problems were fixed, with respective Mitre
CVE ID:
- The CURL module lacked checks for control characters (CVE-2006-2563)
- A potential basedir evasion in the CURL module (CVE-2006-4483)
- basedir and safemode evasion in the IMAP module (CVE-2006-4481)
- str_repeat() contained an integer overflow (CVE-2006-4482)
- GIF LZWReadByte overflow in the GD extension (CVE-2006-4484)
- ext/wddx contained a buffer overflow
- memory_limit() lacked checks for integer overflows
- fixed memory overflow in foreach (CVE-2006-4482)
- a bug in sscanf() could potentially be exploited to execute arbitrary code (CVE-2006-4020)
2) Solution or Work-Around
There is no known workaround, please install the update packages.
3) Special Instructions and Notes
Please close and restart all running instances of apache and apache2 after the update.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
to apply the update, replacing with the filename of the
downloaded RPM package.
x86 Platform:
SUSE LINUX 10.1:
8936b85744d4fc0679fa3ecb01241ad4
05c943f8791e8c27cae744c90028ce84
15367a8a1d1bbf08d5b3bd37a08e329f
76b51b9e5c525ebabd52aea5b588e18e
726732d2758b5e3cb5390b089c158efe
c195e60cae48447af36854801b6ce063
2f9be84c019a88e7b5ea91ccf33c8cb7
6eb8e865acc9d507a50589bc26094d2a
26713a185511d55324775f7166dca5c8
1e7090b251a4b9c37a68bd26c633d59d
f874e52e7b71e25e954f5b1cadcca239
9aed86afbf7923a66f72bd4f7cb4bf18
0ce67bbec20d3933d4eb1ba49117d01d
4e05abc4e56cf05ddc31678d01c4ca11
2da6c06a2e4eba06ea34ab1ebc2f0f5f
fd2673f24195733d5c7efaf00b0b93cb
8a66acc9cb55532003e9732ea23e16ba
c8396008eacaf6bf4f8bcfe76029b9e4
ffa119e44cdc3fb5fabba53b4d71beca
c900f5c407201246f33242ff140921a7
978f86a644c840fb2025029ffd442756
dff9b44b112366d77797fc14f5860687
21bd1f4bb6333c050433af28329f5175
SUSE LINUX 10.0:
0826135f5a6adb72b7fb76c224e961e5
ea651421644344d819c09657e8bf4cbb
b49f51dc41b1f78e9d75e38b597a78e9
eceb8ba7aee1fd11f26fdf3aeb130a23
179ac585bc9d7cb0f790a2d8943d8331
cadfbeb0736052e9c65e2c866e3c488e
33ef26231502942dc679ca7e3a1f0b07
f0377f81a39dbec44fadd9f890ab710e
ac459e842c6430c5cd0ceef19a524006
b331f9ce7d5a2eb06a6f58fd02fa5711
ee820c73df5b479cb6fdea4487e9339f
dd70729a66b59bf877a7ad4ab98923b8
0909d275dc1a2b552c570aef4fe5ece7
2e62bd1c728b273028f04855d7f047ca
dd66143160606fca5ddefe9a15e6cd49
fa9e9761a9e16eb4c1111f8852d72c23
2f45db6c7641553384a278203a9a499d
f6e832a9db273b1276759c275da01acd
e10c44d54b8702312fb55806e7311d07
bfb41b1d29a37b16d9157273530095ac
e6abfb9618f4fb01985d274de9edf3c3
007261957f7d68c84848c2ac5cf9cabe
c755696cab8db4939606f258a6f0f829
f8683dc9c41dbad0abe7deeb43709c93
60e0796af4343c65b7053db88459d832
9a4f98f58f94564cbca814650f73f0d0
fddc6b655fbab589542064c7a2e7faa3
ef7f9d2787ed567720a1c28bad524eb8
98a7aa1aafca47f773a87252ed4afa29
ce2b78e9c9747c50fc000c60a14f3bf1
61714b39589d00c7ee7c66ce030b8b4d
07e976a5f57c33ee4a268dcc9205b217
e7dc5a940efb47703a5835d7da679752
37b0e98284f9ac09c3ce6c6212104f5c
e61ce92e87cbac1bed9b450fe3f125b3
SUSE LINUX 9.3:
53c2a628dc059035abb71771a9924088
8ba79eb44c374f75eb1499ec67ed0aaa
d26ca08214ef83085b2814a8f45d6f6a
1906ce2ba1ad314114bd73b03a6869cf
3ac484fe68c4da67c234d0516895b6d9
f7ed459d2eef8c8e20d360d92857d6a4
190ffe8e4956bf47df80dbffbb09f78a
8815199cfda3c074da63bbbe0b8ac13b
6252c6e6b2b280b37e7d46ca8affe806
69884f260d056c656574537c2065d7b1
23b883c38a2d6bd89a99770b802e958c
76e5007fd8340678534d97a00bd4aac3
b2e93e6f858e413015dd9c49ef6f43c2
c7de5c1644b413140dfeb0079713d68c
109bf46b42af8451440b2b12ea2d7e74
0a1f381f6306b580ab7bff8cb37aad55
1cc974d0c46440027b6834c485bd6c55
8ec38fb68f0dfa016197f7176b74c4bb
2220b978d57bed97d1e12ecd7fd80a20
fcecf5db2bdcccaddf86a114aa427f71
cf2f3aad0fe5a7f9dfd9d79097cc6d89
53e9937fa54ecaba299d5670e73a8f0e
954d519c8223d5afff863eb497337139
620186472403641f0889d3a750424ea5
403f1ace2182a1d56cd81a9350c93732
cbd9fd2960b1e250c466161693135c37
fe6f1702e44ee4fcb941b95d1bf8a7e4
6ae3b3939b8071848a7a6a5a68720bda
1bbb5beddb631dc58c88b5907c3ced63
03c5828cdfd325a70e2fb0d443bee7fc
b31fbad17afca8b314669c5520e3df03
8d4423ef232e330fd1c038b3efa2f566
9b9d282f6c2a05b7c12a3b4dee0a3a0a
d21df50df08db5b53782ca490136c948
dc4b016345d833349787788cfa6bd9dd
bbfeb1b11813dc28a468b8212b892a71
8125577c0c43264ff0f244932451de8a
SUSE LINUX 9.2:
5af4e60fd1a4f1f443cfb2acd86ad050
5dc929f21f27c0bb7fdb673eb8ccd3eb
583483410677adbf026d8d0e44eeb560
9ae866d2c1ff8854c87f57c9a45846f1
6bef4d818184a299b1d014cd85a2c4c4
20b1a0bd5ecdd28b713d8a6af8882da1
7c9b3f6f35a6534df08379c9fdafc4ed
79f244100af155718887d877d1e62e92
2a053d094afe319654f22bfecdc2d4ea
e8720c7a439175885ee6454957828a7a
82ca1fc363a45ce02531f673d298c2c5
1397f82a2a646c3f429d60f6b76d68f7
49bce690abd49902c607e71267e16281
58b51de1fea6746c6a3087ad7fed660e
c5e15449174214584ae39e043aff0ba3
Power PC Platform:
SUSE LINUX 10.1:
e44782596c9566f10cd796758f5f2492
de38d51552b0581329c2fc6e527bdb70
744a0385fed08aba4242eb3511c1145a
30cfdb26b5c49be06800bae8261a5682
43655495b072178d7fdf0a0572bfa882
495f303f7d5f6a0b8e1308d6480ab3ac
918a7cd5c71cdd7afbc35b864e7ccdbc
84de48e086c002201ae9617e210bb4c3
cc9355935650154d165a93beeb25e3c3
64ddb79c4122d7b1f90670c027980346
8a774f4d905dbc8b6e649a4c6b2e76f2
f5081c53b3da57310ddd12882b889081
17019512414445db407b47785229450a
1ab95c75666d4233fa7accfc7b0d3f25
a8108e71ac630fb34c80acc358000e6b
3618e09622602954225283728017e3b8
4923b14525ae9585ce4d10a59d4cdb82
2bd07d15c736a085bfc057be6380bc12
e458770bfa337decc9fb796f0e902619
356eee743b3de8456206cbd8ab9c85ba
8d2f92da449ba43c9e26fd12210a5f57
af0ae8d5df013408c7518f56fc12bef8
a3276f7216fbf6ffdb105a42398e0afb
SUSE LINUX 10.0:
72fe9cafc840c3bf263f34fd75e35647
369933c15ad6bccf69e3873917f4fad0
50da99e08212b520b9a5764aa2323b8a
2f97d8e802d53e1019431257d715651b
1932be4a73932851a7c49e02e52f8a6f
920cc44062cdc86109b3212ee0e6eb70
05c99491b1a68813f2fb961fa4dab443
9d1d97698a62e8e9874c6de0b885b0fe
1320e5f539719fc243aef980534479f2
ca4d474b8bcc9fce33308797227fdbf9
d1ac42264737362ae871c87036b1173b
b5313070ba11766494707dc6f61ac34b
6bcb647e7e997f5b1614347a0ac5914c
d51890bc820e65b5173f8ed5e720ee8b
f1a301b836b26095943289736e951bff
50a93a9379a1e808741b1cb18cb7e3bc
80a76e4ea7531bed800462e7bcf2ebd4
19bd457805a0d46642b62ade9aabc4ca
c32d7cbe32c512e621f9a83e241b3aec
e3b8c81ab76ff16c67fa8251c8b508cf
361e36d56208cdeda3a07467fb0bfec0
f979cd44ecf9ef88f2626bb09cb09c78
faee9f356101b5f3a6017eba4932e510
8224547de7e45db8dd6954558d8a8bc1
d40dc2d0753d88ec8a34bd80d3d47421
b287ecb14869d587a4b840b5192bbf04
5ba9c28b72780c83d14c757cef22f42c
915406b3b839ed800d0a67f027d2c518
e5136b2c63e3effa8ed14e61c86a3242
ace1bb9ac86fa3ce9ff9b87af1e5b738
8d054b6ba8fa10d4ee540f014ba363a4
8dd35b2e3b21491567e71b8f6d5dc3ae
a2a926d5f14286377a3e0a885d6de710
ab92969b2dd34a11ff340d6d6ad5ed40
x86-64 Platform:
SUSE LINUX 10.1:
1aa541e819f0cf28bcae7cfa3d8faf83
5f46c8aed17fd6e21e3c4cefe98e3068
a002c66e3044a4e9cb2c503e72b70312
45e191689c242220dccc0720027491d5
f66e5133a464380c2c3f7c667f67eb8b
fdc8032851821193be1d35dbc404fb3d
ef7451b939c38b8d5a64c26030b84be9
953a2f7a589aeef0ffa321426fe6d489
36b14c01fc02286389f33249ff6c4e85
76a38d8ad279f5fdbbbca7e1ac30fcac
199b4078f06f55020c67f1d375b8f02e
23ec993e1268fdaffc045f9bd948f07b
687b9609eb63ce03eb9166b21fb1bc71
fc12530e303870ac7d5f53ff0aaf2520
c0b8cc5d14ab5fe1a14b60b7f10621f3
9217c9cae9cd4e7cbb20fa0977e79ec9
75f713cdd88895ae0819c534049b718d
1d775a0b2e85c4b491977fdbef9903ed
7a6987c24ec2a2bfe2aefa469f53a9ce
5e1358157e851c58f33c55f1baa1832b
7d7f980a9815c495f5eb404b96a1f579
65f19a5398080254a9d4b021cd441ba6
857341c4894c1c3edc41a53ff74bf377
SUSE LINUX 10.0:
738cad0418d599c7a1d312b5f2f1d28e
8cbd4a61479a5d449896e82f8f2747fe
898843d16262891dfe844ad919c0d76b
7ccb40a0d55e4b4d6065856e2c113e65
7da624b820d113eacdbd42939938445e
2034f854b6e4fe1562eaa83fb182388f
8c7cf607c306dd861b4424937bcf283f
31d3a4d79590037f76a6d401653e32f1
6f845e6fbb8e6f70a7e5b3b01972dcd7
d83e51da60e5e63b1ad97f3e5503482a
1888c18a14af916e80faccedff8e897e
47060c9a21a567c6373e2b5ff498caaf
7e9cbe4e6686c7caa87158f034059a8c
347dddeda126106310ed6efd6b76e299
73eb755575178471ee1d33ed6a109eb9
3f6c5a35c5dfef203cee21dc30ea538b
b3a37b64873b7563b4d7f6432a3ed7a2
0bab9e455e6cfa7b638546b54d3b5c75
3eee340684d32666d73ee1713f74ebf6
0bebfb61fe5cd8726b500aa38323808b
3920509afaec41428e740376595da363
9039f96ef34aae6880b91bdba6cc93b0
e9a9c15bbef5c26aaca323414b470966
c8bc4b48067456bfe277dafe1203ba7a
92e76709003bbd17b2c81ad096e46c1e
3e8678b95fbb33d22e86c16820570192
6e8f16a31ffe8c8f0fcdecd810ce3432
9f36ce3da24be5c0d49e48bb9624c3bc
eb45dbd62fd552cfab866cddb306c938
e88f41dc4c31d791d07a3864743d29b3
e13790c9ba16d2d7232139ff4dde5723
9a5454e33e9f330344ed71b8fe67a147
90ce9c190ffc7d46fe2c7c4807abfc6e
c9c0a3ab4cde46bb182c0b258f40f67f
a51e3555b16e1564284a22aeacb4a321
5170a261b511700b1a1bfc48011abc62
SUSE LINUX 9.3:
d0a8a3a10f0a0e1528c8d77fc10c711c
7d29734d93a9b2ed929031622395231f
b71cee2d6754b6ec0329820a009723f8
9a3b87a6d90dbea3150c0a39d7a200ea
f134257c894e6fe5e3b2842948b1af7e
19a627cbaa97f89faf6769a16dccad8d
4170c084e22ffa5d11ab0cc9ae09f7d7
3a767ddce824622d83e916ffed713e0f
1faa67b197837f9123fcfd92b2a8ee54
fa57f12cdc283627f22b8d7d9e37e124
cc4ecc9f1cf7cc20027c4c03031eaef3
310e97e460a58d2d8a16860ff0562849
369f7c7d308ff0c0bcbd4bbb8e1ba174
e3ddfd378729a1fb4e4749080a7f3b22
395f137bf64d793b7cafbcf6b40a48e2
efc1e13c901ac3aad866926b667e8d0e
9116ce650ca923dc5e3c245f64424fb9
f42c1125f4d246541bb86af8a42261ae
217967576f061dd2f2bb4135948d76f2
f1ebe9ca5aa9057c1f9c155f04ab5c6e
c34eaf8ea0d7298befd9109c09e6422d
5e93c7e38e3456b53d4f10453fd4f8c2
70ad91d6fdc379b2ce82af3e88f61a63
3eab67e86e9fc85f61120e0e159e8ba5
190b50aa354868d7c2bdeafc96bd27a3
7df97d4bd29f15a2bcb0785488d11cd7
852f121f64f4fc0ffe416ede92231855
64dbbfeb780a97a52a9f7112fe35a81e
03120cc85fe4d7d8f01f323fbf9b722c
26dc97e48c71c249390e33637290b6e8
32999e42b6d869f6be42adc8f27ebb96
ee8817f6729c0896d58b7dbf495d1a43
b934c51a66c6c12e102f840f30e98f16
55f80a7d9c9a5a49497ae4a6674678c7
39dce7bded0c42ecb553f6d4023720d7
f049e62ca4d37a4e5b39103e3fca6eb2
44b03ea63d1f4defcf602f31a2a1abb2
fdb5249957116875254fd2ba2c7074fc
SUSE LINUX 9.2:
d73e48ecbb07f2c3565538679c4567aa
04d9cd428d4063efd70838e6f59af30c
90b01223363a94ba71d1b1bca9d540b8
f057ae228a13e614f1b38cb779dccb34
ec53972396dc14c8c558a98df0cbeceb
a30419b780f105eca02b425088d8d298
3a5761b011c9ab9ceecb5ef297f0c315
aa0b9085bddc24a57dbf86717eb4a949
561f2af2986fa8142b1a010bc05d4f57
e7faded463239ea340ae8850f0384057
41bbfe96f9f82d3580475006041ab951
bb6b941448f4313a2a356560db82109f
f931b7c36b56611a2bb0c75c13bc059e
fc189ca0a3fd1f075d38b33a9f76a483
47833784a0f26da1e7d3877141815a61
e4cdfb0e2d47b1c7ada7d916e47c1407
Sources:
SUSE LINUX 10.1:
ff5694ea382b4c274f5acf8b30b308f1
SUSE LINUX 10.0:
499a6a4ef22c2a5b1a68c6843894a5d4
42a34d8b69b925212a8650a63f00c188
SUSE LINUX 9.3:
89de4fdc12856ca8c029360a4adc6d8f
1cdee4108fcd07b473054d1b59cb2c59
SUSE LINUX 9.2:
2f499cff806e484b10946bf6b00f02f3
Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:
SUSE SLES 10
http://support.novell.com/techcenter/psdb/4158cb40947679b415df74f09e98ea02.html
SLE SDK 10
http://support.novell.com/techcenter/psdb/4158cb40947679b415df74f09e98ea02.html
SUSE CORE 9 for Itanium Processor Family
http://support.novell.com/techcenter/psdb/47a19c67fad7fcec4d91c5a44208bcc5.html
Open Enterprise Server
http://support.novell.com/techcenter/psdb/1a2f0555d36498842c2e883d8fb6e27e.html
Novell Linux POS 9
http://support.novell.com/techcenter/psdb/1a2f0555d36498842c2e883d8fb6e27e.html
SUSE SLES 9
http://support.novell.com/techcenter/psdb/47a19c67fad7fcec4d91c5a44208bcc5.html
http://support.novell.com/techcenter/psdb/1a2f0555d36498842c2e883d8fb6e27e.html
UnitedLinux 1.0
http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.html
SuSE Linux Openexchange Server 4
http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.html
SuSE Linux Enterprise Server 8
http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.html
SuSE Linux Standard Server 8
http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.html
SuSE Linux School Server
http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.html
SUSE LINUX Retail Solution 8
http://support.novell.com/techcenter/psdb/7cd59aa86a1f1b1dbca70a4416a78d26.html
______________________________________________________________________________
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
______________________________________________________________________________
6) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify
replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:
gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "
where is replaced by the date the document was signed.
If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command
gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc
- Package authenticity verification:
SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.
There are two verification methods that can be used independently from
each other to prove the authenticity of a downloaded file or RPM package:
1) Using the internal gpg signatures of the rpm package
2) MD5 checksums as provided in this announcement
1) The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command
rpm -v --checksig
to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.
This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.
2) If you need an alternative means of verification, use the md5sum
command to verify the authenticity of the packages. Execute the command
md5sum
after you downloaded the file from a SUSE FTP server or its mirrors.
Then compare the resulting md5sum with the one that is listed in the
SUSE security announcement. Because the announcement containing the
checksums is cryptographically signed (by security@suse.de), the
checksums show proof of the authenticity of the package if the
signature of the announcement is valid. Note that the md5 sums
published in the SUSE Security Announcements are valid for the
respective packages only. Newer versions of these packages cannot be
verified.
- SUSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- General Linux and SUSE security discussion.
All SUSE security announcements are sent to this list.
To subscribe, send an e-mail to
.
suse-security-announce@suse.com
- SUSE's announce-only mailing list.
Only SUSE's security announcements are sent to this list.
To subscribe, send an e-mail to
.
For general information or the frequently asked questions (FAQ),
send mail to or
.
==================================================================== SUSE's security contact is or .
The public key is listed below.
====================================================================
