OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /e/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-web Date: 22-Jan-2003 14:31:39
Branch: HEAD Handle: 2003012213313800
Modified files:
openpkg-web/security OpenPKG-SA-2003.005-php.txt
Log:
final polishing of PHP SA
Summary:
Revision Changes Path
1.2 +33 -26 openpkg-web/security/OpenPKG-SA-2003.005-php.txt
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-web/security/OpenPKG-SA-2003.005-php.txt
============================================================================
$ cvs diff -u -r1.1 -r1.2 OpenPKG-SA-2003.005-php.txt
--- openpkg-web/security/OpenPKG-SA-2003.005-php.txt 22 Jan 2003 13:01:32 -0000
1.1
+++ openpkg-web/security/OpenPKG-SA-2003.005-php.txt 22 Jan 2003 13:31:38 -0000
1.2
@@ -1,3 +1,6 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Project
@@ -6,36 +9,31 @@
OpenPKG-SA-2003.005 22-Jan-2003
________________________________________________________________________
-Package: php
+Package: php, apache
Vulnerability: buffer overflow in "wordwrap" function
OpenPKG Specific: no
Affected Releases: Affected Packages: Corrected Packages:
OpenPKG CURRENT <= php-4.2.3-20020907 >= php-4.3.0-20021228
-OpenPKG 1.2 none >= php-4.3.0-1.2.0
+ <= apache-1.3.27-20021129 >= apache-1.3.27-20021228
+OpenPKG 1.2 none N.A.
OpenPKG 1.1 <= php-4.2.2-1.1.0 >= php-4.2.2-1.1.1
-OpenPKG 1.0 none >= php-4.0.6-1.0.1
-
-Affected Releases: Dependent Packages:
-OpenPKG CURRENT <= apache-1.3.27-20021129 >= apache-1.3.27-20021228
-OpenPKG 1.2 none >= apache-1.3.27-1.2.0
-OpenPKG 1.1 <= apache-1.3.26-1.1.2 >= apache-1.3.26-1.1.3
-OpenPKG 1.0 none >= apache-1.3.22-1.0.6
+ <= apache-1.3.26-1.1.2 >= apache-1.3.26-1.1.3
+OpenPKG 1.0 none N.A.
Description:
- According to a bug report [0] from David F. Skoll
- <[EMAIL PROTECTED]> a buffer overflow problem exists in the
- "wordwrap" function of Personal HomePage (PHP) [1], a an HTML-embedded
- scripting language. Thanks to David's input and help the source of the
- problem was tracked down and corrected. The Common Vulnerabilities and
- Exposures (CVE) project assigned the id CAN-2002-1396 [2] to the
- problem.
+ According to a bug report [0] from David F. Skoll a buffer overflow
+ problem exists in the "wordwrap" function of Personal HomePage (PHP)
+ [1], a HTML-embedded scripting language. Thanks to Davids input and
+ help, the source of the problem was tracked down and corrected by
+ the vendor. The Common Vulnerabilities and Exposures (CVE) project
+ assigned the id CAN-2002-1396 [2] to the problem.
- Please check whether you are affected by running "<prefix>/bin/rpm -q
- php". If you have the "php" package installed and its version is
+ Please check whether you are affected by running "<prefix>/bin/rpm
+ -q php". If you have the "php" package installed and its version is
affected (see above), we recommend that you immediately upgrade it
(see Solution). [3][4]
-
+
Also run "<prefix>/bin/rpm -qi apache". If you have the "apache"
package installed having the "with_mod_php" option set to "yes" and
its version is affected (see above), we recommend that you immediately
@@ -43,8 +41,8 @@
Solution:
Select the updated source RPM appropriate for your OpenPKG release
- [5], fetch it from the OpenPKG FTP service [6] or a mirror
- location, verify its integrity [7], build a corresponding binary RPM
+ [5][6], fetch it from the OpenPKG FTP service [7] or a mirror
+ location, verify its integrity [8], build a corresponding binary RPM
from it [3] and update your OpenPKG installation by applying the binary
RPM [4]. For the release OpenPKG 1.1, perform the following
operations to permanently fix the security problem (for other releases
@@ -54,14 +52,15 @@
ftp> bin
ftp> cd release/1.1/UPD
ftp> get php-4.2.2-1.1.1.src.rpm
+ ftp> get apache-1.3.26-1.1.3.src.rpm
ftp> bye
$ <prefix>/bin/rpm -v --checksig php-4.2.2-1.1.1.src.rpm
+ $ <prefix>/bin/rpm -v --checksig apache-1.3.26-1.1.3.src.rpm
$ <prefix>/bin/rpm --rebuild php-4.2.2-1.1.1.src.rpm
+ $ <prefix>/bin/rpm --rebuild apache-1.3.26-1.1.3.src.rpm
$ su -
# <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/php-4.2.2-1.1.1.*.rpm
-
- Additionally, we recommend that you rebuild and reinstall
- all dependent packages (see above), if any, too. [3][4]
+ # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.26-1.1.3.*.rpm
________________________________________________________________________
References:
@@ -71,8 +70,9 @@
[3] http://www.openpkg.org/tutorial.html#regular-source
[4] http://www.openpkg.org/tutorial.html#regular-binary
[5] ftp://ftp.openpkg.org/release/1.1/UPD/php-4.2.2-1.1.1.src.rpm
- [6] ftp://ftp.openpkg.org/release/1.1/UPD/
- [7] http://www.openpkg.org/security.html#signature
+ [6] ftp://ftp.openpkg.org/release/1.1/UPD/apache-1.3.26-1.1.3.src.rpm
+ [7] ftp://ftp.openpkg.org/release/1.1/UPD/
+ [8] http://www.openpkg.org/security.html#signature
________________________________________________________________________
For security reasons, this advisory was digitally signed with
@@ -84,3 +84,10 @@
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________
+-----BEGIN PGP SIGNATURE-----
+Comment: OpenPKG <[EMAIL PROTECTED]>
+
+iD8DBQE+Lp0igHWT4GPEy58RArl+AJ9/w1U0RwTAHxUooOo/OUpCx9yJagCg8KlV
+yRQ54kIUxzdQn/bmmfpHZMo=
+=9ZrR
+-----END PGP SIGNATURE-----
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [EMAIL PROTECTED]
