[CVS] OpenPKG: openpkg-web/security/ OpenPKG-SA-2003.010-php.txt

[Ralf S. Engelschall]

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /e/openpkg/cvs                   Email:  [EMAIL PROTECTED]
  Module: openpkg-web                      Date:   18-Feb-2003 17:22:02
  Branch: HEAD                             Handle: 2003021816220100

  Modified files:
    openpkg-web/security    OpenPKG-SA-2003.010-php.txt

  Log:
    final signing

  Summary:
    Revision    Changes     Path
    1.3         +30 -19     openpkg-web/security/OpenPKG-SA-2003.010-php.txt
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-web/security/OpenPKG-SA-2003.010-php.txt
  ============================================================================
  $ cvs diff -u -r1.2 -r1.3 OpenPKG-SA-2003.010-php.txt
  --- openpkg-web/security/OpenPKG-SA-2003.010-php.txt  18 Feb 2003 13:39:36 -0000     
 1.2
  +++ openpkg-web/security/OpenPKG-SA-2003.010-php.txt  18 Feb 2003 16:22:01 -0000     
 1.3
  @@ -1,3 +1,5 @@
  +-----BEGIN PGP SIGNED MESSAGE-----
  +Hash: SHA1
   
   ________________________________________________________________________
   
  @@ -17,28 +19,29 @@
                        >= apache-1.3.27-20021228   >= apache-1.3.27-20030218
   OpenPKG 1.2          == php-4.3.0-1.2.0          >= php-4.3.0-1.2.1
                        == apache-1.3.27-1.2.0      >= apache-1.3.27-1.2.1
  -OpenPKG 1.1          none                        n.a.
  +OpenPKG 1.1          none                        N.A.
   
   Dependent Packages:  none
   
   Description:
  -  Kosmas Skiadopoulos discovered a serious security vulnerability [0] in
  -  the CGI SAPI of PHP version 4.3.0. PHP [1] contains code for preventing
  -  direct access to the CGI binary with configure option
  -  '--enable-force-cgi-redirect' and php.ini option 'cgi.force_redirect'.
  -  In PHP 4.3.0 there is a bug which renders these options useless. Please
  -  note that this bug does NOT affect any of the other SAPI modules such as
  -  the Apache or ISAPI modules.
  -
  -  Anyone with access to websites hosted on a web server which employs the
  -  CGI module may exploit this vulnerability to gain access to any file
  -  readable by the user under which the webserver runs. A remote attacker
  -  could also trick PHP into executing arbitrary PHP code if attacker is
  -  able to inject the code into files accessible by the CGI. This could be
  -  for example the web server access-logs.
  -
  -  Please check whether you are affected by running '<prefix>/bin/rpm -qa |
  -  grep php'. If you have either the 'php' or 'apache with mod_php'
  +  Kosmas Skiadopoulos discovered a serious security vulnerability [0]
  +  in the CGI SAPI of PHP version 4.3.0. PHP [1] contains code for
  +  preventing direct access to the CGI binary with configure option
  +  "--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect".
  +  In PHP 4.3.0 there is a bug which renders these options useless.
  +  Please note that this bug does NOT affect any of the other SAPI
  +  modules such as the Apache or ISAPI modules.
  +
  +  Anyone with access to websites hosted on a web server which employs
  +  the CGI module may exploit this vulnerability to gain access to any
  +  file readable by the user under which the webserver runs. A remote
  +  attacker could also trick PHP into executing arbitrary PHP code if
  +  attacker is able to inject the code into files accessible by the CGI.
  +  This could be for example the web server access-logs.
  +
  +  Please check whether you are affected by running "<prefix>/bin/rpm -q
  +  php apache" and "<prefix>/bin/rpm -qi apache | grep with_mod_php".
  +  If you have either the "php" or "apache" with option "with_mod_php"
     packages installed and their version is affected (see above), we
     recommend that you immediately upgrade (see Solution) [2][3].
   
  @@ -57,7 +60,8 @@
     ftp> get apache-1.3.27-1.2.1.src.rpm
     ftp> bye
     $ <prefix>/bin/rpm -v --checksig apache-1.3.27-1.2.1.src.rpm
  -  $ <prefix>/bin/rpm --rebuild apache-1.3.27-1.2.1.src.rpm --define 'with_mod_php 
yes'
  +  $ <prefix>/bin/rpm --rebuild --define 'with_mod_php yes' \
  +        apache-1.3.27-1.2.1.src.rpm 
     $ su -
     # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/apache-1.3.27-1.2.1.*.rpm
   ________________________________________________________________________
  @@ -82,3 +86,10 @@
   the command "gpg --verify --keyserver keyserver.pgp.com".
   ________________________________________________________________________
   
  +-----BEGIN PGP SIGNATURE-----
  +Comment: OpenPKG <[EMAIL PROTECTED]>
  +
  +iD8DBQE+Ul0CgHWT4GPEy58RAiylAJ0UMcYLUNYbOOl1oFIuqfAxWALcagCgxUsx
  +I0CUzWnNLnX57B9wHXCwWWQ=
  +=dpIT
  +-----END PGP SIGNATURE-----
  @@ .
______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
CVS Repository Commit List                     [EMAIL PROTECTED]