Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: mod_php (200302-09.1)
Date: Wed, 19 Feb 2003 16:08:53
Message-Id: 20030219155648.84F8A33B58@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200302-09.1
6 - - ---------------------------------------------------------------------
7
8 PACKAGE : mod_php
9 SUMMARY : arbitrary code execution
10 DATE : 2003-02-19 15:56 UTC
11 EXPLOIT : remote
12
13 - - ---------------------------------------------------------------------
14
15 This is a re-release of GLSA-200302-09 becuse the first post
16 contained some errors.
17
18 - From release notes:
19
20 "PHP contains code for preventing direct access to the CGI binary with
21 configure option "--enable-force-cgi-redirect" and php.ini option
22 "cgi.force_redirect". In PHP 4.3.0 there is a bug which renders these
23 options useless."
24
25 Read the full release notes at:
26 http://www.php.net/release_4_3_1.php
27
28 SOLUTION
29
30 It is recommended that all Gentoo Linux users who are running
31 dev-php/mod_php upgrade to mod_php-4.3.1 as follows:
32
33 emerge sync
34 emerge -u mod_php
35 emerge clean
36
37 - - ---------------------------------------------------------------------
38 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
39 rphillips@g.o
40 - - ---------------------------------------------------------------------
41 -----BEGIN PGP SIGNATURE-----
42 Version: GnuPG v1.2.1 (GNU/Linux)
43
44 iD8DBQE+U6k3fT7nyhUpoZMRAgYGAJ0VuZ3QvRgdFE9MfkrsdpNRQnfNwgCgqDwK
45 agZ3yHaDeGja82rJavna2GY=
46 =r2WB
47 -----END PGP SIGNATURE-----