1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
- - --------------------------------------------------------------------- |
5 |
GENTOO LINUX SECURITY ANNOUNCEMENT 200302-09 |
6 |
- - --------------------------------------------------------------------- |
7 |
|
8 |
PACKAGE : mod_php php |
9 |
SUMMARY : arbitrary code execution |
10 |
DATE : 2003-02-19 13:28 UTC |
11 |
EXPLOIT : local |
12 |
|
13 |
- - --------------------------------------------------------------------- |
14 |
|
15 |
- From release notes: |
16 |
|
17 |
"PHP contains code for preventing direct access to the CGI binary with |
18 |
configure option "--enable-force-cgi-redirect" and php.ini option |
19 |
"cgi.force_redirect". In PHP 4.3.0 there is a bug which renders these |
20 |
options useless." |
21 |
|
22 |
Read the full release notes at: |
23 |
http://www.php.net/release_4_3_1.php |
24 |
|
25 |
SOLUTION |
26 |
|
27 |
It is recommended that all Gentoo Linux users who are running |
28 |
dev-php/mod_php and/or dev-php/php upgrade to php-4.3.1 |
29 |
and/or mod_php-4.3.1 as follows: |
30 |
|
31 |
emerge sync |
32 |
emerge -u mod_php and/or emerge -u php |
33 |
emerge clean |
34 |
|
35 |
- - --------------------------------------------------------------------- |
36 |
aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz |
37 |
rphillips@g.o |
38 |
- - --------------------------------------------------------------------- |
39 |
-----BEGIN PGP SIGNATURE----- |
40 |
Version: GnuPG v1.2.1 (GNU/Linux) |
41 |
|
42 |
iD8DBQE+U4ZjfT7nyhUpoZMRAsWsAJ4qV3t9D0x7RIvX32//aHcJvz3kbgCgwywT |
43 |
I44q0SlLumCn++b7K2yvhZc= |
44 |
=QPPk |
45 |
-----END PGP SIGNATURE----- |