Stay Secure with the Latest Linux Advisories

security advisorySlackwarePCRE

Slackware 10.1: DSA-2005-251-04 Moderate: PHP Overflow Fix

A new php5 package is available for Slackware 10.1 in /testing to fix security issues. PHP has been relinked with the shared PCRE library to fix an overflow issue with PHP's builtin PRCE code, and PEAR::XMLRPC has been upgraded to version 1.4.0 which eliminates the . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] php5 in Slackware 10.1 (SSA:2005-251-04) A new php5 package is available for Slackware 10.1 in /testing to fix security issues. PHP has been relinked with the shared PCRE library to fix an overflow issue with PHP's builtin PRCE code, and PEAR::XMLRPC has been upgraded to version 1.4.0 which eliminates the eval() function. The eval() function is believed to be insecure as implemented, and would be difficult to secure. Note that this new package now requires that the PCRE package be installed, so be sure to get the new package from the patches/packages/ directory if you don't already have it. More details about these issues may be found in the Common Vulnerabilities and Exposures (CVE) database: https://www.cve.org/CVERecord?id=CAN-2005-2491 https://www.cve.org/CVERecord?id=CAN-2005-2498 Here are the details from the Slackware 10.1 ChangeLog: +--------------------------+ testing/packages/php-5.0.5/php-5.0.5-i486-1.tgz: Upgraded to php-5.0.5, which fixes security issues with XML-RPC and PCRE. This new package now links with the system's shared PCRE library, so be sure you have the new PCRE package from patches/packages/ installed. Ordinarily packages in /testing are not considered supported, but several people have written to say that they are using php5 from /testing in a production environment and would like to see an updated package, so here it is. The package in /testing was replaced in /testing rather than putting it under /patches to avoid any problems with automatic upgrade tools replacing php-4 packages with this one. For more information on the security issues fixed, see: https://www.cve.org/CVERecord?id=CAN-2005-2491 https://www.cve.org/CVERecord?id=CAN-2005-2498 (* Security fix *) +--------------------------+ Where to find the new package: +----------------------------+ Updated package for Slackware 10.1: MD5 signature: +------------+ Slackware 10.1 package: 8926968bdfa8bd2103048bd2c21ad07c php-5.0.5-i486-1.tgz Installation instructions: +------------------------+ First, stop apache: # apachectl stop Next, upgrade to the new PHP package: # upgradepkg php-5.0.5-i486-1.tgz Finally, restart apache: # apachectl start (or: apachectl startssl) +-----+ . A fresh php5 release for Slackware 10.1 has been issued, addressing various overflow vulnerabilities and updating PEAR::XMLRPC to bolster security measures.. Slackware Security, PHP Upgrade, PCRE Fix. . Severity: Important. LinuxSecurity.com Team

Sep 08, 2005 •Important Slackware