[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:24906] [SECURITY] New version of Debian php4 packages released (updated) (from debian-security-announce@lists.debian.org)



php4パッケージの、4.0.3より前のバージョンに、リモートのユーザが、
PHPスクリプトを動かすユーザの権限でコードを実行できる、という問題が
あります。

以下、debian-security-announce@lists.debian.orgに、10月14日付で流れた
情報です(遅れてすみません)(Debian Security Advisoryが2つ出ていますが、
最初のほうは、URLの記述が間違っていました)。参考訳をつけてありますが、
誤訳があるかもしれません。判断が必要な場合は引用している原文のほうを
参照してください。

http://lists.debian.org/debian-security-announce-00/msg00069.html
http://lists.debian.org/debian-security-announce-00/msg00070.html (修正版)
にて、PGP署名付きの原文を読むことができます。また、Web版が
http://www.jp.debian.org/security/2000/20001014b
にあります。


From: Daniel Jacobowitz <drow@xxxxxxxxxxxxx>
Subject: [SECURITY] New version of Debian php4 packages released (updated)
Date: Sat, 14 Oct 2000 03:46:21 -0400
> ----------------------------------------------------------------------------
> Debian Security Advisory                                 security@debian.org
> http://www.debian.org/security/                            Daniel Jacobowitz
> October 14, 2000
> ----------------------------------------------------------------------------

> Package: php4
> Vulnerability: possible remote exploit
> Debian-specific: no
> Vulnerable: yes

パッケージ名: php4
問題の種類  : リモートからの不正利用の可能性
Debian 特有 : いいえ
攻撃可能性  : はい


> [Updated version: corrected URLs]

[更新版: URL 修正]


> In versions of the PHP 4 packages before version 4.0.3, several format
> string bugs could allow properly crafted requests to execute code as the
> user running PHP scripts on the web server.

バージョン 4.0.3 よりも前の PHP 4 パッケージには、複数のフォーマット
文字列バグがあります。これにより、巧妙に作成されたリクエストを使うと、
Web サーバ上の PHP スクリプトを実行するユーザの権限でコードを
実行させることができます。


> This problem is fixed in versions 4.0.3-0potato1 for Debian 2.2 (potato) and
> 4.0.3-1 for Debian Unstable (woody).  This is a bug fix release and we recommend
> all users of php4 upgrade to it; potato users should note that this is an
> upgrade from 4.0b3, but no incompatibilities are expected.

この問題は、Debian 2.2 (potato) 用のバージョン 4.0.3-0potato1、
Debian 開発版 (Unstable、woody) 用のバージョン 4.0.3-1 で修正
されました。php4 ユーザはすべて、このバグ修正版にアップグレードする
ことをお勧めします。ここで、potato ユーザは 4.0b3 からのアップ
グレードになることに注意してください。予想できない非互換部分が
あるかもしれません。


> Debian GNU/Linux 2.1 alias slink
> --------------------------------

Debian GNU/Linux 2.1 別名 slink


>   Slink does not contain any php4 packages, and is therefore not affected.

slink には php4 パッケージがないので、影響はありません。


> Debian GNU/Linux 2.2 (stable) alias potato
> ------------------------------------------

Debian GNU/Linux 2.2 (安定版) 別名 potato


>   Fixes are currently available for the Alpha, Intel ia32, Motorola 680x0,
>   PowerPC and Sun SPARC architectures, and will be included in 2.2r1.

現在、Alpha、Intel ia32、Motorola 680x0、PowerPC、それと Sun SPARC 
用の修正版があります。これらは 2.2r1 に含まれる予定です。


>   Source archives:
>     http://security.debian.org/dists/potato/updates/main/source/php4_4.0.3-0potato1.diff.gz
>       MD5 checksum: a4a9ce00f9b85966521fccf91c20b1fe
>     http://security.debian.org/dists/potato/updates/main/source/php4_4.0.3-0potato1.dsc
>       MD5 checksum: 26e0cc7624981b4872e104b62151c4b1
>     http://security.debian.org/dists/potato/updates/main/source/php4_4.0.3.orig.tar.gz
>       MD5 checksum: e80223ed44a445bbf202cd9a41a8fbbb

>   Architecture indendent archives:
>     http://security.debian.org/dists/potato/updates/main/binary-all/php4-dev_4.0.3-0potato1_all.deb
>       MD5 checksum: 04b2040609b61c7c2ad391a23450ec66

>   Alpha architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-gd_4.0.3-0potato1_alpha.deb
>       MD5 checksum: d3fe7fef73c4b598a81fa2190d0c9eb5
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-imap_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 1231668e5b49c44ec5aa1cf6260537ba
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-ldap_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 7cbe170c8dc9d1692b5e3a59f225dc35
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-mhash_4.0.3-0potato1_alpha.deb
>       MD5 checksum: d41ac1166ace253daa79da899b60f1d2
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-mysql_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 7ce535f98712a5b925e0e0c939623395
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-pgsql_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 49fa22bbd37e6da2b42f2988c34f062f
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-snmp_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 3c8ae9b6caff94e3cfe9396929678ea8
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-xml_4.0.3-0potato1_alpha.deb
>       MD5 checksum: b6b109a24e81a346cae7ede4acb7b8d6
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi_4.0.3-0potato1_alpha.deb
>       MD5 checksum: f9dfaf4d72f9fd72684a6c1ef70e88f0
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-gd_4.0.3-0potato1_alpha.deb
>       MD5 checksum: d738d12da802f8335c367c9c74f84702
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-imap_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 93171ea93342cd4818cc2e470bf755dd
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-ldap_4.0.3-0potato1_alpha.deb
>       MD5 checksum: a566dcef79feaa5835bac1fdf25447c9
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-mhash_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 10bbe8213e8016321c1c39dfa4c71d00
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-mysql_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 82eaa050345ebb04183ba54cb91d1dd3
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-pgsql_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 7756b53bd8889e76bb53ee200efa762a
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-snmp_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 8768e4ac8a49fcd8fb93a39565ba9f6b
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-xml_4.0.3-0potato1_alpha.deb
>       MD5 checksum: 1766704f4c160d70bbc8ceabbacb0485
>     http://security.debian.org/dists/potato/updates/main/binary-alpha/php4_4.0.3-0potato1_alpha.deb
>       MD5 checksum: ab46675a4746fb9c6d98d41f69d6c39d

>   Intel ia32 architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-gd_4.0.3-0potato1_i386.deb
>       MD5 checksum: 950b8d77cabb51fa3fee93f542923b22
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-imap_4.0.3-0potato1_i386.deb
>       MD5 checksum: 4a1b39e86058ddef899ea7e30c165997
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-ldap_4.0.3-0potato1_i386.deb
>       MD5 checksum: f7ff7751166164afee9f213f088fd293
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-mhash_4.0.3-0potato1_i386.deb
>       MD5 checksum: 353afa5861d49ccc6c2d2fd3dafad21d
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-mysql_4.0.3-0potato1_i386.deb
>       MD5 checksum: 3d1336623f1e32d42efbb32097e50517
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-pgsql_4.0.3-0potato1_i386.deb
>       MD5 checksum: fcb4d91a0400a4a9f7e9f97b95a82efd
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-snmp_4.0.3-0potato1_i386.deb
>       MD5 checksum: d9c7aecfa1f2976f416936333d263323
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-xml_4.0.3-0potato1_i386.deb
>       MD5 checksum: fdf4a7f0a185a9ca340378e6dbb982f7
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi_4.0.3-0potato1_i386.deb
>       MD5 checksum: 5050b7fc859f50621a0d54922832c2f1
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-gd_4.0.3-0potato1_i386.deb
>       MD5 checksum: 10c0fa0f35e0527f3e2cd1b5b6602ab6
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-imap_4.0.3-0potato1_i386.deb
>       MD5 checksum: b411fb51803d7a96ad5eec056de9a41f
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-ldap_4.0.3-0potato1_i386.deb
>       MD5 checksum: 341d2bebc353f2ac4948a41d8b3fdb8c
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-mhash_4.0.3-0potato1_i386.deb
>       MD5 checksum: f6d0465fc1c25d4deecd15dd5e60927b
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-mysql_4.0.3-0potato1_i386.deb
>       MD5 checksum: a521a0332ee5c2ff325789c21c9bcc60
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-pgsql_4.0.3-0potato1_i386.deb
>       MD5 checksum: 979ffc72564dcd02dae7bb2d97f73bbc
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-snmp_4.0.3-0potato1_i386.deb
>       MD5 checksum: 3a174bf266dec089aba50049090fc518
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4-xml_4.0.3-0potato1_i386.deb
>       MD5 checksum: 94ac2a5dbb47e4cf86c95579cff37320
>     http://security.debian.org/dists/potato/updates/main/binary-i386/php4_4.0.3-0potato1_i386.deb
>       MD5 checksum: ac2b7d167760365d1143caa0483ca9d8

>   Motorola 680x0 architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-gd_4.0.3-0potato1_m68k.deb
>       MD5 checksum: cf953a514fc74d16330a5fd61ca6f1d2
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-imap_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 54a1330b08760e2105a297652262b5f0
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-ldap_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 3e589a6b10fd4c5b8cf0bcc823e1c136
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-mhash_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 0bee1f3abd78718cd2ccc48862cd62d3
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-mysql_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 8dc08d54bed91db40dce3d66f3ec4515
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-pgsql_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 1b61adc8cf8f0a9782057d622aedcedf
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-snmp_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 0ba4613f858af4679d28bac799d9381d
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-xml_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 60047aecb794b0988e6834ad51991e6c
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi_4.0.3-0potato1_m68k.deb
>       MD5 checksum: c50c7ea097c5ba876de023f519582c3b
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-gd_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 5fd8393cd6d3bb17c5a0cb91846c3c4e
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-imap_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 1f1fc4b0822bebf7fc1c8832066cce2d
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-ldap_4.0.3-0potato1_m68k.deb
>       MD5 checksum: de194dfccf9acbe7acf674949bd306c9
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-mhash_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 2329a5ee7ad19c0a791923fddb8a35c1
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-mysql_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 9a9ada8c95f121ab1ae7b9137990e54b
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-pgsql_4.0.3-0potato1_m68k.deb
>       MD5 checksum: a2b7f9d325021b55c3f33e8744b91793
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-snmp_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 3892fc2afd953838847d38a1787dd289
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-xml_4.0.3-0potato1_m68k.deb
>       MD5 checksum: 94fa954c37a23af00976b231bf1fd4f6
>     http://security.debian.org/dists/potato/updates/main/binary-m68k/php4_4.0.3-0potato1_m68k.deb
>       MD5 checksum: ca8ff47ba9b93365b9d05ba397b02608

>   PowerPC architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-gd_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 77f491b502259bba05cbe3a0ee1366f3
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-imap_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 920705ee0db58017de6a45e3343e9903
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-ldap_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 89a30a1bdba82ab3b97c4a15d592b9e0
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-mhash_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: dea22760f061bea67e95336b145965f6
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-mysql_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: a62c51d74bf005ac33aef5f20976a26c
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-pgsql_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: e8594ffbda40270ce33510307cd2b8c9
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-snmp_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 5f463d50289c4d73085a1c06317b2d0c
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-xml_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 67a88882315b6a80e52066b15a5430f1
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 562d0f98df13c64446b5f9157b164890
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-gd_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 5cd5a5c626174e945804a9eeb78b357b
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-imap_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: b79798b045e33f1633948b3f9187fd17
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-ldap_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 46d1767444a584cc5857fcf4ad69c1d7
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-mhash_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: c885eb618264bbd7ed40182176c9a627
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-mysql_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 4761cb89398d57b0faffd8266775c008
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-pgsql_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 5caecc8f2ab14ea88f18be1e28158113
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-snmp_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: 644c612dc6311f8fb1eaa7a7e5292341
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-xml_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: f8de34081f2cd5a7373eb441b797d3df
>     http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4_4.0.3-0potato1_powerpc.deb
>       MD5 checksum: eb844ebce5c2674c0981295d0992d9ff

>   Sun Sparc architecture:
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-gd_4.0.3-0potato1_sparc.deb
>       MD5 checksum: d467f114370d358e0a02ea1de2495b4e
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-imap_4.0.3-0potato1_sparc.deb
>       MD5 checksum: fb9d8131160fd7915bd1e2c700662323
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-ldap_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 9eed208d160ba83cab07a99d83448800
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-mhash_4.0.3-0potato1_sparc.deb
>       MD5 checksum: a90eb840733313cc4daf1e57f3cddf63
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-mysql_4.0.3-0potato1_sparc.deb
>       MD5 checksum: ee479f23bad040b9fa4fc960bb0998b8
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-pgsql_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 6339a967c077b4eae3cf32974657759c
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-snmp_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 2cda52b681eb985958135434edeb5ae6
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-xml_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 756fa42bf5d0af442291efa6ad719b38
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi_4.0.3-0potato1_sparc.deb
>       MD5 checksum: f4dbb48a2c0c904d3180e4699426f20a
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-gd_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 90f994f67c2a0a902a16aeb2acac9556
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-imap_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 17997e09572e612f4fc3d0aad8b74fe8
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-ldap_4.0.3-0potato1_sparc.deb
>       MD5 checksum: a9985cd2954c5d44d6e7a57d717c0097
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-mhash_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 49aa1c86cb9ec06c17bc2d727b75e1b0
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-mysql_4.0.3-0potato1_sparc.deb
>       MD5 checksum: bac338543482d242d1c5cd936690eb1f
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-pgsql_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 5f8ff8caf9086525012db9234a94ff8c
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-snmp_4.0.3-0potato1_sparc.deb
>       MD5 checksum: 5d20c6b5fce5bbeb04a422a7ee3cbadd
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-xml_4.0.3-0potato1_sparc.deb
>       MD5 checksum: e0360986406d5f566356f0389bd338dc
>     http://security.debian.org/dists/potato/updates/main/binary-sparc/php4_4.0.3-0potato1_sparc.deb
>       MD5 checksum: c25c1000ce84068fb5ae3b0c36a2c154


> Debian GNU/Linux Unstable alias woody
> -------------------------------------

Debian GNU/Linux 開発版 別名 woody


>   This version of Debian is not yet released.

Debian のこのバージョンは、まだリリースされていません。


>   Fixes are currently available for Alpha and Intel ia32 in the Debian
>   archives; fixes for other architectures will be made available shortly.

現在、Alpha と Intel ia32 版の修正版が Debian アーカイブにあります。
ほかのアーキテクチャの修正版もまもなく利用可能になります。


> ----------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> Mailing list: debian-security-announce@lists.debian.org

-- 
喜瀬“冬猫”浩@南国沖縄

Attachment: pgpkltMwQoB4Y.pgp
Description: PGP signature