RHSA-2005:031 - Security Advisory
Security Advisory: Important
Updated php packages that fix various security issues are now
available for Red Hat Enterprise Linux 2.1.
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.
A double-free bug was found in the deserialization code of PHP. PHP
applications use the unserialize function on untrusted user data, which
could allow a remote attacker to gain access to memory or potentially
execute arbitrary code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1019 to this issue.
Flaws were found in the pack and unpack PHP functions. These functions
do not normally pass user supplied data, so they would require a malicious
PHP script to be exploited. The Common Vulnerabilities and Exposures
project (cve.mitre.org) has assigned the name CAN-2004-1018 to this issue.
A bug was discovered in the initialization of the OpenSSL library, such
that the curl extension could not be used to perform HTTP requests over SSL
unless the php-imap package was installed.
Users of PHP should upgrade to these updated packages, which contain fixes
for these issues.
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
- Red Hat Enterprise Linux Server 2 ia64
- Red Hat Enterprise Linux Server 2 i386
- Red Hat Enterprise Linux Workstation 2 ia64
- Red Hat Enterprise Linux Workstation 2 i386