Säkerhetsbulletin från Debian

php3 -- möjlig fjärrkomprommetering

Rapporterat den:

2000-10-14

Berörda paket:

php3

Sårbara:

Referenser i säkerhetsdatabaser:

I Mitres CVE-förteckning: CVE-2000-0967.

Ytterligare information:

I versioner av PHP 4-paketen tidigare än version 3.0.17 finns det flera formatsträngsfel som kan göra det möjligt för speciellt skrivna förfrågningar att exekvera kod som den användare som kör PHP-skripten på webbservern, speciellt om felloggning har aktiverats.

Detta problem har rättats i version 3.0.17-0potato2 och 3.0.17-0potato3 för Debian 2.2 (potato) och 3.0.17-1 för Debian unstable (woody). Detta är en felrättande utgåva, och vi rekommenderar alla användare av php3 att uppgradera till den.

Debian GNU/Linux 2.1 (slink) innehåller php3 version 3.0.5, vilken antas påverkas av detta problem. Ingen säkerhetsrättelse för slink är tillgänglig för tillfället; Slinkanvändare som har php3-användare rekommenderas antingen att uppgradera till potato eller att kompilera om potato-php3-paketen från källkoden (se adresserna nedan).

Rättat i:

Debian GNU/Linux 2.2 (potato)

Källkod:: http://security.debian.org/dists/potato/updates/main/source/php3_3.0.17-0potato3.diff.gz; http://security.debian.org/dists/potato/updates/main/source/php3_3.0.17-0potato3.dsc; http://security.debian.org/dists/potato/updates/main/source/php3_3.0.17.orig.tar.gz
Arkitekturoberoende komponent:: http://security.debian.org/dists/potato/updates/main/binary-all/php3-doc_3.0.17-0potato3_all.deb
Alpha:: http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-gd_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-imap_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-ldap_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-magick_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-mhash_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-mysql_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-pgsql_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-snmp_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-xml_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-dev_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-gd_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-imap_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-ldap_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-magick_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-mhash_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-mysql_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-pgsql_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-snmp_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-xml_3.0.17-0potato3_alpha.deb; http://security.debian.org/dists/potato/updates/main/binary-alpha/php3_3.0.17-0potato3_alpha.deb
ARM:: http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-gd_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-imap_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-ldap_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-magick_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-mhash_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-mysql_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-pgsql_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-snmp_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-xml_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-dev_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-gd_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-imap_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-ldap_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-magick_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-mhash_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-mysql_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-pgsql_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-snmp_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3-xml_3.0.17-0potato3_arm.deb; http://security.debian.org/dists/potato/updates/main/binary-arm/php3_3.0.17-0potato3_arm.deb
Intel IA-32:: http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-gd_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-imap_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-ldap_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-magick_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-mhash_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-mysql_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-pgsql_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-snmp_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-xml_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-dev_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-gd_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-imap_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-ldap_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-magick_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-mhash_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-mysql_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-pgsql_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-snmp_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3-xml_3.0.17-0potato2_i386.deb; http://security.debian.org/dists/potato/updates/main/binary-i386/php3_3.0.17-0potato2_i386.deb
Motorola 680x0:: http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-gd_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-imap_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-ldap_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-magick_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-mhash_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-mysql_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-pgsql_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-snmp_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-xml_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-dev_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-gd_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-imap_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-ldap_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-magick_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-mhash_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-mysql_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-pgsql_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-snmp_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-xml_3.0.17-0potato3_m68k.deb; http://security.debian.org/dists/potato/updates/main/binary-m68k/php3_3.0.17-0potato3_m68k.deb
PowerPC:: http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-gd_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-imap_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-ldap_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-magick_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-mhash_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-mysql_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-pgsql_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-snmp_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-xml_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-dev_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-gd_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-imap_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-ldap_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-magick_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-mhash_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-mysql_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-pgsql_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-snmp_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-xml_3.0.17-0potato3_powerpc.deb; http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3_3.0.17-0potato3_powerpc.deb
Sun Sparc:: http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-gd_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-imap_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-ldap_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-magick_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-mhash_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-mysql_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-pgsql_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-snmp_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-xml_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-dev_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-gd_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-imap_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-ldap_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-magick_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-mhash_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-mysql_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-pgsql_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-snmp_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-xml_3.0.17-0potato3_sparc.deb; http://security.debian.org/dists/potato/updates/main/binary-sparc/php3_3.0.17-0potato3_sparc.deb