__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN PHP Security Update [Red Hat RHSA:2007:0348-2] May 10, 2007 13:00 GMT Number R-235 [REVISED 24 May 2007] [REVISED 11 Jul 2007] [REVISED 24 Oct 2007] _________________________________________________________________________ PROBLEM: A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension and a flaw was found in the PHP 'ftp' extension. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS, ES, WS (v.2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 4.0 (etch) and 3.1 (sarge) DAMAGE: Could allow a remote attacker to execute arbitrary code as the 'apache' user. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could allow a remote attacker to execute ASSESSMENT: arbitrary code as the 'apache' user. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-235.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0348.html ADDITIONAL LINKS: http://www.debian.org/security/2007/dsa-1295 http://www.debian.org/security/2007/dsa-1296 http://www.debian.org/security/2007/dsa-1330 http://www.debian.org/security/2007/dsa-1331 https://rhn.redhat.com/errata/RHSA-2007-0888.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-1864 CVE-2007-2509 CVE-2007-2510 ______________________________________________________________________________ REVISION HISTORY: 05/24/2007 - revised R-235 to add links to Debian Security Advisories DSA-1295-1 and DSA-1296-1 for Debian GNU/Linux 4.0 (etch) and 3.1 (sarge). 07/11/2007 - revised R-235 to add links to Debian Security Advisories DSA-1331-1 and DSA-1330-1 for Debian GNU/Linux 4.0 (etch) and 3.1 (sarge). 10/24/2007 - revised R-235 to add a link to Red Hat RHSA-2007:0888-2 for Red Hat Enterprise Linux AS, ES, WS (v.2.1) and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor. [***** Start Red Hat RHSA:2007:0348-2 *****] Important: php security update Advisory: RHSA-2007:0348-2 Type: Security Advisory Severity: Important Issued on: 2007-05-08 Last updated on: 2007-05-08 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) OVAL: com.redhat.rhsa-20070348.xml CVEs (cve.mitre.org): CVE-2007-1864 CVE-2007-2509 CVE-2007-2510 Details Updated PHP packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. A heap buffer overflow flaw was found in the PHP 'xmlrpc' extension. A PHP script which implements an XML-RPC server using this extension could allow a remote attacker to execute arbitrary code as the 'apache' user. Note that this flaw does not affect PHP applications using the pure-PHP XML_RPC class provided in /usr/share/pear. (CVE-2007-1864) A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509) A buffer overflow flaw was found in the PHP 'soap' extension, regarding the handling of an HTTP redirect response when using the SOAP client provided by this extension with an untrusted SOAP server. No mechanism to trigger this flaw remotely is known. (CVE-2007-2510) Users of PHP should upgrade to these updated packages which contain backported patches to correct these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- SRPMS: php-5.1.6-12.el5.src.rpm 1f072047b7d34d64fe5fbe532f6777c0 IA-32: php-5.1.6-12.el5.i386.rpm db4e221120959052ff76d76baa356333 php-bcmath-5.1.6-12.el5.i386.rpm 623ea7a18a737dad4ecd3b59f70e4a7b php-cli-5.1.6-12.el5.i386.rpm 13a42879b670133c45728223a95fd402 php-common-5.1.6-12.el5.i386.rpm e189f866ed98fce01d040f324a80391d php-dba-5.1.6-12.el5.i386.rpm a60aa421383db832b4edd0c850df8ecf php-devel-5.1.6-12.el5.i386.rpm 6f5036e7ca118e1915226e3cd8f9518b php-gd-5.1.6-12.el5.i386.rpm 2800999d688186d3dbeee5fb3e61575b php-imap-5.1.6-12.el5.i386.rpm a1904ac67baff1e51a3fbf5599440b52 php-ldap-5.1.6-12.el5.i386.rpm 1bfe2a4ae5e40cc269a1dbc1352c4b80 php-mbstring-5.1.6-12.el5.i386.rpm b3cff46d0c907a5ed67713145e1b4152 php-mysql-5.1.6-12.el5.i386.rpm 15efa04cf7427b2747c2020dbe759029 php-ncurses-5.1.6-12.el5.i386.rpm bbca3680c0437d9ec164b572c9f5f8ef php-odbc-5.1.6-12.el5.i386.rpm 78a45360f99144504120ed460739aab1 php-pdo-5.1.6-12.el5.i386.rpm 83612401d798529d67d2695164559183 php-pgsql-5.1.6-12.el5.i386.rpm a062000075fc8bbf21b647c2f40d77bf php-snmp-5.1.6-12.el5.i386.rpm 46000dee2a3c58e8b30919fbb46843c6 php-soap-5.1.6-12.el5.i386.rpm 38d8e0bb05631def31f60fa3b7198772 php-xml-5.1.6-12.el5.i386.rpm 6f0476ea1a367d88e2e5039fdbc3a198 php-xmlrpc-5.1.6-12.el5.i386.rpm fa48b781751b85839fd64d806abe41f4 x86_64: php-5.1.6-12.el5.x86_64.rpm 68d771ed24af81d04ee7e100a5a5e635 php-bcmath-5.1.6-12.el5.x86_64.rpm ea6a80e9d0d7158d94901ac4d63ed0f0 php-cli-5.1.6-12.el5.x86_64.rpm 3db0909942b504af6fb2ab6319dfc418 php-common-5.1.6-12.el5.x86_64.rpm e87c1bcd044c475afd36b4fd76eb306e php-dba-5.1.6-12.el5.x86_64.rpm b52703dcbbd302ca6a5881691c8a4791 php-devel-5.1.6-12.el5.x86_64.rpm b24a0cf47bbd36af3e27f63cf8f2a44d php-gd-5.1.6-12.el5.x86_64.rpm 683ee6300a6021f31b9b378b5ebbae91 php-imap-5.1.6-12.el5.x86_64.rpm 2558b23ddb574e4d757a3ee45b4b09db php-ldap-5.1.6-12.el5.x86_64.rpm 4e12feed47c6bdfa745b408c3a2f0be9 php-mbstring-5.1.6-12.el5.x86_64.rpm 802ac4070f6183f3c3fa729f6ef753b0 php-mysql-5.1.6-12.el5.x86_64.rpm f6a3268ac2d5868b56750b125b7e4000 php-ncurses-5.1.6-12.el5.x86_64.rpm 7e2467e812eb1ecb34bec48d61ce75f5 php-odbc-5.1.6-12.el5.x86_64.rpm 8d9d4c8f30a8310b4b55f40260cd705e php-pdo-5.1.6-12.el5.x86_64.rpm a2f79a2d00ee92c37fbcd575abc9031b php-pgsql-5.1.6-12.el5.x86_64.rpm b0cfb786017cedfdef3c9a7e4abbf61b php-snmp-5.1.6-12.el5.x86_64.rpm 18d164a275b9b357a84c976fd24929af php-soap-5.1.6-12.el5.x86_64.rpm c359a4bd47f55245a28832e004ede4b3 php-xml-5.1.6-12.el5.x86_64.rpm 263c811cd28b288ba2cadd65ed5daf5e php-xmlrpc-5.1.6-12.el5.x86_64.rpm b2b3a11ccf426e54b41d74df6eb33da8 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: php-5.1.6-12.el5.src.rpm 1f072047b7d34d64fe5fbe532f6777c0 IA-32: php-5.1.6-12.el5.i386.rpm db4e221120959052ff76d76baa356333 php-bcmath-5.1.6-12.el5.i386.rpm 623ea7a18a737dad4ecd3b59f70e4a7b php-cli-5.1.6-12.el5.i386.rpm 13a42879b670133c45728223a95fd402 php-common-5.1.6-12.el5.i386.rpm e189f866ed98fce01d040f324a80391d php-dba-5.1.6-12.el5.i386.rpm a60aa421383db832b4edd0c850df8ecf php-devel-5.1.6-12.el5.i386.rpm 6f5036e7ca118e1915226e3cd8f9518b php-gd-5.1.6-12.el5.i386.rpm 2800999d688186d3dbeee5fb3e61575b php-imap-5.1.6-12.el5.i386.rpm a1904ac67baff1e51a3fbf5599440b52 php-ldap-5.1.6-12.el5.i386.rpm 1bfe2a4ae5e40cc269a1dbc1352c4b80 php-mbstring-5.1.6-12.el5.i386.rpm b3cff46d0c907a5ed67713145e1b4152 php-mysql-5.1.6-12.el5.i386.rpm 15efa04cf7427b2747c2020dbe759029 php-ncurses-5.1.6-12.el5.i386.rpm bbca3680c0437d9ec164b572c9f5f8ef php-odbc-5.1.6-12.el5.i386.rpm 78a45360f99144504120ed460739aab1 php-pdo-5.1.6-12.el5.i386.rpm 83612401d798529d67d2695164559183 php-pgsql-5.1.6-12.el5.i386.rpm a062000075fc8bbf21b647c2f40d77bf php-snmp-5.1.6-12.el5.i386.rpm 46000dee2a3c58e8b30919fbb46843c6 php-soap-5.1.6-12.el5.i386.rpm 38d8e0bb05631def31f60fa3b7198772 php-xml-5.1.6-12.el5.i386.rpm 6f0476ea1a367d88e2e5039fdbc3a198 php-xmlrpc-5.1.6-12.el5.i386.rpm fa48b781751b85839fd64d806abe41f4 IA-64: php-5.1.6-12.el5.ia64.rpm cafd614aafbb93a9c1cc2f6353830cd7 php-bcmath-5.1.6-12.el5.ia64.rpm 2441c3bb036579f4f90a68ec83d26f35 php-cli-5.1.6-12.el5.ia64.rpm cb7bef1fdbc92fea05df95f8d6584555 php-common-5.1.6-12.el5.ia64.rpm e10fe0ff4bc338ddec9b4e367291e566 php-dba-5.1.6-12.el5.ia64.rpm fa100ac6fe4b0a91991abd936565f0fc php-devel-5.1.6-12.el5.ia64.rpm ae02c7d2e2d4d44718f996c250d42d71 php-gd-5.1.6-12.el5.ia64.rpm f0f191aaf58ec5589f21df085504e239 php-imap-5.1.6-12.el5.ia64.rpm cf26517d261c3aaa55fb214a859d103b php-ldap-5.1.6-12.el5.ia64.rpm d1509a29380c85b385fc63ee44815083 php-mbstring-5.1.6-12.el5.ia64.rpm e1f2318bd68675d7f849234e8354a2e3 php-mysql-5.1.6-12.el5.ia64.rpm a3ce3b1d3a49127a2162a1465a73886e php-ncurses-5.1.6-12.el5.ia64.rpm d42e7353d8088fef65b36ba973b195ae php-odbc-5.1.6-12.el5.ia64.rpm e05c2cd733dc4cc8369321e90d899d68 php-pdo-5.1.6-12.el5.ia64.rpm 1f1efbb4539364a08d52c0dab7795239 php-pgsql-5.1.6-12.el5.ia64.rpm 3e312ac2b401c91d861894c3b33ded17 php-snmp-5.1.6-12.el5.ia64.rpm feaac214d523a64ebadaad9e93f1242a php-soap-5.1.6-12.el5.ia64.rpm 30b1ea6f26dda2395b11736333f7b2ce php-xml-5.1.6-12.el5.ia64.rpm d0999b5660b02e62b39f121ec8327500 php-xmlrpc-5.1.6-12.el5.ia64.rpm d73065f5f63f38a16cb95616baa4f8e0 PPC: php-5.1.6-12.el5.ppc.rpm 34ae027262d0d089256344c389bbe08c php-bcmath-5.1.6-12.el5.ppc.rpm 3b3d5738933e697bb776d04ff46a7f12 php-cli-5.1.6-12.el5.ppc.rpm 49cabf54b4400a953b739b6ed2b30f9e php-common-5.1.6-12.el5.ppc.rpm 2122545a7ba2b26df9e520cb1180b7c7 php-dba-5.1.6-12.el5.ppc.rpm 9e30dfaa845be5c78163cb75924bd2b4 php-devel-5.1.6-12.el5.ppc.rpm 423f4664277d806dcaf857bb147d8e4b php-gd-5.1.6-12.el5.ppc.rpm 0f3f6615f97f175bee885bcafe8a5859 php-imap-5.1.6-12.el5.ppc.rpm 0801cf3c02afce07b604b7dfe7fd1905 php-ldap-5.1.6-12.el5.ppc.rpm 2add1b41bbb8bd8be31e2d444704406b php-mbstring-5.1.6-12.el5.ppc.rpm d5b9f5d3c17bf87507594b1baa3e79f7 php-mysql-5.1.6-12.el5.ppc.rpm 325e97ecee92904bd55945c4b1d1b639 php-ncurses-5.1.6-12.el5.ppc.rpm 55143aa36a5830a28a05f97f7d981760 php-odbc-5.1.6-12.el5.ppc.rpm 18d8ef4334b2388b09e6c83dfcc58882 php-pdo-5.1.6-12.el5.ppc.rpm 9767a87db24d9f8afcce9f1428065c60 php-pgsql-5.1.6-12.el5.ppc.rpm ee48fe969439c899283d1ec3eb60f530 php-snmp-5.1.6-12.el5.ppc.rpm 4065ec9d77ad5b9659e1b0f848cb0215 php-soap-5.1.6-12.el5.ppc.rpm c309aa4721f4f7be3c15086700eca7ba php-xml-5.1.6-12.el5.ppc.rpm ff5887a936ee9d00ddea099144662a6a php-xmlrpc-5.1.6-12.el5.ppc.rpm 47966500a9b6eecc2e27cbef9159496a s390x: php-5.1.6-12.el5.s390x.rpm e858f359b54fa3c4849f1fc1ef07824f php-bcmath-5.1.6-12.el5.s390x.rpm f974f231c4b713c6ac2191bea2328c9b php-cli-5.1.6-12.el5.s390x.rpm f369fcc7d4f6a08cb295a5e2fb521b27 php-common-5.1.6-12.el5.s390x.rpm 0f1749de657015b792c76c60b04284fd php-dba-5.1.6-12.el5.s390x.rpm c754ed24d8d995411e98d8401b26acde php-devel-5.1.6-12.el5.s390x.rpm 8f5143ea58f9985a341ff583a7f76aa0 php-gd-5.1.6-12.el5.s390x.rpm 2f100e01b637407a5dc5ca8e2a23bbba php-imap-5.1.6-12.el5.s390x.rpm 104d04a1fa14f2f7707e792c86329f9c php-ldap-5.1.6-12.el5.s390x.rpm e452fa10840ba5accb455ec03884cd50 php-mbstring-5.1.6-12.el5.s390x.rpm 1fa864cbe5f5293a698d808fa19afae9 php-mysql-5.1.6-12.el5.s390x.rpm d8a0fd9257da5af3a764e5b1dfe6ad77 php-ncurses-5.1.6-12.el5.s390x.rpm a1a20fbb68f630030dd6299ecf416596 php-odbc-5.1.6-12.el5.s390x.rpm 6a67e25eda0d52b30ca16613302c5ac2 php-pdo-5.1.6-12.el5.s390x.rpm f5783c22f5a47556c865e788314b6053 php-pgsql-5.1.6-12.el5.s390x.rpm 34c8f6098740ddcabb6dc52782c4377d php-snmp-5.1.6-12.el5.s390x.rpm 2903ad9be536f69ed2e659258bad601c php-soap-5.1.6-12.el5.s390x.rpm f6be7d172c09f7b94dee797609c0e833 php-xml-5.1.6-12.el5.s390x.rpm f96b56c8c02bac91c00fdb255fc1c979 php-xmlrpc-5.1.6-12.el5.s390x.rpm c231339723fc58a722841ded28f10b65 x86_64: php-5.1.6-12.el5.x86_64.rpm 68d771ed24af81d04ee7e100a5a5e635 php-bcmath-5.1.6-12.el5.x86_64.rpm ea6a80e9d0d7158d94901ac4d63ed0f0 php-cli-5.1.6-12.el5.x86_64.rpm 3db0909942b504af6fb2ab6319dfc418 php-common-5.1.6-12.el5.x86_64.rpm e87c1bcd044c475afd36b4fd76eb306e php-dba-5.1.6-12.el5.x86_64.rpm b52703dcbbd302ca6a5881691c8a4791 php-devel-5.1.6-12.el5.x86_64.rpm b24a0cf47bbd36af3e27f63cf8f2a44d php-gd-5.1.6-12.el5.x86_64.rpm 683ee6300a6021f31b9b378b5ebbae91 php-imap-5.1.6-12.el5.x86_64.rpm 2558b23ddb574e4d757a3ee45b4b09db php-ldap-5.1.6-12.el5.x86_64.rpm 4e12feed47c6bdfa745b408c3a2f0be9 php-mbstring-5.1.6-12.el5.x86_64.rpm 802ac4070f6183f3c3fa729f6ef753b0 php-mysql-5.1.6-12.el5.x86_64.rpm f6a3268ac2d5868b56750b125b7e4000 php-ncurses-5.1.6-12.el5.x86_64.rpm 7e2467e812eb1ecb34bec48d61ce75f5 php-odbc-5.1.6-12.el5.x86_64.rpm 8d9d4c8f30a8310b4b55f40260cd705e php-pdo-5.1.6-12.el5.x86_64.rpm a2f79a2d00ee92c37fbcd575abc9031b php-pgsql-5.1.6-12.el5.x86_64.rpm b0cfb786017cedfdef3c9a7e4abbf61b php-snmp-5.1.6-12.el5.x86_64.rpm 18d164a275b9b357a84c976fd24929af php-soap-5.1.6-12.el5.x86_64.rpm c359a4bd47f55245a28832e004ede4b3 php-xml-5.1.6-12.el5.x86_64.rpm 263c811cd28b288ba2cadd65ed5daf5e php-xmlrpc-5.1.6-12.el5.x86_64.rpm b2b3a11ccf426e54b41d74df6eb33da8 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 239015 - CVE-2007-1864 various PHP security issues (CVE-2007-2509 CVE-2007-2510) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2509 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2510 http://www.redhat.com/security/updates/classification/#important -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA:2007:0348-2 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-225: QEMU R-226: LiveData Protocol Server Vulnerabitily R-227: AXIS Communications CamImage ActiveX Update R-228: Vulnerabilities in Microsoft Exchange (931832) R-229: Vulnerability in Windows DNS RPC Interface (935966) R-230: Vulnerabilities in Microsoft Excel (934233) R-231: Vulnerabilities in Microsoft Word R-232: Vulnerability in Microsoft Office R-233: Cumulative Security Update for Internet Explorer R-234: Vulnerability in CAPICOM