php4パッケージの、4.0.3より前のバージョンに、リモートのユーザが、 PHPスクリプトを動かすユーザの権限でコードを実行できる、という問題が あります。 以下、debian-security-announce@lists.debian.orgに、10月14日付で流れた 情報です(遅れてすみません)(Debian Security Advisoryが2つ出ていますが、 最初のほうは、URLの記述が間違っていました)。参考訳をつけてありますが、 誤訳があるかもしれません。判断が必要な場合は引用している原文のほうを 参照してください。 http://lists.debian.org/debian-security-announce-00/msg00069.html http://lists.debian.org/debian-security-announce-00/msg00070.html (修正版) にて、PGP署名付きの原文を読むことができます。また、Web版が http://www.jp.debian.org/security/2000/20001014b にあります。 From: Daniel Jacobowitz <drow@xxxxxxxxxxxxx> Subject: [SECURITY] New version of Debian php4 packages released (updated) Date: Sat, 14 Oct 2000 03:46:21 -0400 > ---------------------------------------------------------------------------- > Debian Security Advisory security@debian.org > http://www.debian.org/security/ Daniel Jacobowitz > October 14, 2000 > ---------------------------------------------------------------------------- > Package: php4 > Vulnerability: possible remote exploit > Debian-specific: no > Vulnerable: yes パッケージ名: php4 問題の種類 : リモートからの不正利用の可能性 Debian 特有 : いいえ 攻撃可能性 : はい > [Updated version: corrected URLs] [更新版: URL 修正] > In versions of the PHP 4 packages before version 4.0.3, several format > string bugs could allow properly crafted requests to execute code as the > user running PHP scripts on the web server. バージョン 4.0.3 よりも前の PHP 4 パッケージには、複数のフォーマット 文字列バグがあります。これにより、巧妙に作成されたリクエストを使うと、 Web サーバ上の PHP スクリプトを実行するユーザの権限でコードを 実行させることができます。 > This problem is fixed in versions 4.0.3-0potato1 for Debian 2.2 (potato) and > 4.0.3-1 for Debian Unstable (woody). This is a bug fix release and we recommend > all users of php4 upgrade to it; potato users should note that this is an > upgrade from 4.0b3, but no incompatibilities are expected. この問題は、Debian 2.2 (potato) 用のバージョン 4.0.3-0potato1、 Debian 開発版 (Unstable、woody) 用のバージョン 4.0.3-1 で修正 されました。php4 ユーザはすべて、このバグ修正版にアップグレードする ことをお勧めします。ここで、potato ユーザは 4.0b3 からのアップ グレードになることに注意してください。予想できない非互換部分が あるかもしれません。 > Debian GNU/Linux 2.1 alias slink > -------------------------------- Debian GNU/Linux 2.1 別名 slink > Slink does not contain any php4 packages, and is therefore not affected. slink には php4 パッケージがないので、影響はありません。 > Debian GNU/Linux 2.2 (stable) alias potato > ------------------------------------------ Debian GNU/Linux 2.2 (安定版) 別名 potato > Fixes are currently available for the Alpha, Intel ia32, Motorola 680x0, > PowerPC and Sun SPARC architectures, and will be included in 2.2r1. 現在、Alpha、Intel ia32、Motorola 680x0、PowerPC、それと Sun SPARC 用の修正版があります。これらは 2.2r1 に含まれる予定です。 > Source archives: > http://security.debian.org/dists/potato/updates/main/source/php4_4.0.3-0potato1.diff.gz > MD5 checksum: a4a9ce00f9b85966521fccf91c20b1fe > http://security.debian.org/dists/potato/updates/main/source/php4_4.0.3-0potato1.dsc > MD5 checksum: 26e0cc7624981b4872e104b62151c4b1 > http://security.debian.org/dists/potato/updates/main/source/php4_4.0.3.orig.tar.gz > MD5 checksum: e80223ed44a445bbf202cd9a41a8fbbb > Architecture indendent archives: > http://security.debian.org/dists/potato/updates/main/binary-all/php4-dev_4.0.3-0potato1_all.deb > MD5 checksum: 04b2040609b61c7c2ad391a23450ec66 > Alpha architecture: > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-gd_4.0.3-0potato1_alpha.deb > MD5 checksum: d3fe7fef73c4b598a81fa2190d0c9eb5 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-imap_4.0.3-0potato1_alpha.deb > MD5 checksum: 1231668e5b49c44ec5aa1cf6260537ba > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-ldap_4.0.3-0potato1_alpha.deb > MD5 checksum: 7cbe170c8dc9d1692b5e3a59f225dc35 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-mhash_4.0.3-0potato1_alpha.deb > MD5 checksum: d41ac1166ace253daa79da899b60f1d2 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-mysql_4.0.3-0potato1_alpha.deb > MD5 checksum: 7ce535f98712a5b925e0e0c939623395 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-pgsql_4.0.3-0potato1_alpha.deb > MD5 checksum: 49fa22bbd37e6da2b42f2988c34f062f > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-snmp_4.0.3-0potato1_alpha.deb > MD5 checksum: 3c8ae9b6caff94e3cfe9396929678ea8 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi-xml_4.0.3-0potato1_alpha.deb > MD5 checksum: b6b109a24e81a346cae7ede4acb7b8d6 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-cgi_4.0.3-0potato1_alpha.deb > MD5 checksum: f9dfaf4d72f9fd72684a6c1ef70e88f0 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-gd_4.0.3-0potato1_alpha.deb > MD5 checksum: d738d12da802f8335c367c9c74f84702 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-imap_4.0.3-0potato1_alpha.deb > MD5 checksum: 93171ea93342cd4818cc2e470bf755dd > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-ldap_4.0.3-0potato1_alpha.deb > MD5 checksum: a566dcef79feaa5835bac1fdf25447c9 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-mhash_4.0.3-0potato1_alpha.deb > MD5 checksum: 10bbe8213e8016321c1c39dfa4c71d00 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-mysql_4.0.3-0potato1_alpha.deb > MD5 checksum: 82eaa050345ebb04183ba54cb91d1dd3 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-pgsql_4.0.3-0potato1_alpha.deb > MD5 checksum: 7756b53bd8889e76bb53ee200efa762a > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-snmp_4.0.3-0potato1_alpha.deb > MD5 checksum: 8768e4ac8a49fcd8fb93a39565ba9f6b > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4-xml_4.0.3-0potato1_alpha.deb > MD5 checksum: 1766704f4c160d70bbc8ceabbacb0485 > http://security.debian.org/dists/potato/updates/main/binary-alpha/php4_4.0.3-0potato1_alpha.deb > MD5 checksum: ab46675a4746fb9c6d98d41f69d6c39d > Intel ia32 architecture: > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-gd_4.0.3-0potato1_i386.deb > MD5 checksum: 950b8d77cabb51fa3fee93f542923b22 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-imap_4.0.3-0potato1_i386.deb > MD5 checksum: 4a1b39e86058ddef899ea7e30c165997 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-ldap_4.0.3-0potato1_i386.deb > MD5 checksum: f7ff7751166164afee9f213f088fd293 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-mhash_4.0.3-0potato1_i386.deb > MD5 checksum: 353afa5861d49ccc6c2d2fd3dafad21d > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-mysql_4.0.3-0potato1_i386.deb > MD5 checksum: 3d1336623f1e32d42efbb32097e50517 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-pgsql_4.0.3-0potato1_i386.deb > MD5 checksum: fcb4d91a0400a4a9f7e9f97b95a82efd > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-snmp_4.0.3-0potato1_i386.deb > MD5 checksum: d9c7aecfa1f2976f416936333d263323 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi-xml_4.0.3-0potato1_i386.deb > MD5 checksum: fdf4a7f0a185a9ca340378e6dbb982f7 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-cgi_4.0.3-0potato1_i386.deb > MD5 checksum: 5050b7fc859f50621a0d54922832c2f1 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-gd_4.0.3-0potato1_i386.deb > MD5 checksum: 10c0fa0f35e0527f3e2cd1b5b6602ab6 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-imap_4.0.3-0potato1_i386.deb > MD5 checksum: b411fb51803d7a96ad5eec056de9a41f > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-ldap_4.0.3-0potato1_i386.deb > MD5 checksum: 341d2bebc353f2ac4948a41d8b3fdb8c > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-mhash_4.0.3-0potato1_i386.deb > MD5 checksum: f6d0465fc1c25d4deecd15dd5e60927b > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-mysql_4.0.3-0potato1_i386.deb > MD5 checksum: a521a0332ee5c2ff325789c21c9bcc60 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-pgsql_4.0.3-0potato1_i386.deb > MD5 checksum: 979ffc72564dcd02dae7bb2d97f73bbc > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-snmp_4.0.3-0potato1_i386.deb > MD5 checksum: 3a174bf266dec089aba50049090fc518 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4-xml_4.0.3-0potato1_i386.deb > MD5 checksum: 94ac2a5dbb47e4cf86c95579cff37320 > http://security.debian.org/dists/potato/updates/main/binary-i386/php4_4.0.3-0potato1_i386.deb > MD5 checksum: ac2b7d167760365d1143caa0483ca9d8 > Motorola 680x0 architecture: > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-gd_4.0.3-0potato1_m68k.deb > MD5 checksum: cf953a514fc74d16330a5fd61ca6f1d2 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-imap_4.0.3-0potato1_m68k.deb > MD5 checksum: 54a1330b08760e2105a297652262b5f0 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-ldap_4.0.3-0potato1_m68k.deb > MD5 checksum: 3e589a6b10fd4c5b8cf0bcc823e1c136 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-mhash_4.0.3-0potato1_m68k.deb > MD5 checksum: 0bee1f3abd78718cd2ccc48862cd62d3 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-mysql_4.0.3-0potato1_m68k.deb > MD5 checksum: 8dc08d54bed91db40dce3d66f3ec4515 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-pgsql_4.0.3-0potato1_m68k.deb > MD5 checksum: 1b61adc8cf8f0a9782057d622aedcedf > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-snmp_4.0.3-0potato1_m68k.deb > MD5 checksum: 0ba4613f858af4679d28bac799d9381d > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi-xml_4.0.3-0potato1_m68k.deb > MD5 checksum: 60047aecb794b0988e6834ad51991e6c > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-cgi_4.0.3-0potato1_m68k.deb > MD5 checksum: c50c7ea097c5ba876de023f519582c3b > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-gd_4.0.3-0potato1_m68k.deb > MD5 checksum: 5fd8393cd6d3bb17c5a0cb91846c3c4e > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-imap_4.0.3-0potato1_m68k.deb > MD5 checksum: 1f1fc4b0822bebf7fc1c8832066cce2d > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-ldap_4.0.3-0potato1_m68k.deb > MD5 checksum: de194dfccf9acbe7acf674949bd306c9 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-mhash_4.0.3-0potato1_m68k.deb > MD5 checksum: 2329a5ee7ad19c0a791923fddb8a35c1 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-mysql_4.0.3-0potato1_m68k.deb > MD5 checksum: 9a9ada8c95f121ab1ae7b9137990e54b > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-pgsql_4.0.3-0potato1_m68k.deb > MD5 checksum: a2b7f9d325021b55c3f33e8744b91793 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-snmp_4.0.3-0potato1_m68k.deb > MD5 checksum: 3892fc2afd953838847d38a1787dd289 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4-xml_4.0.3-0potato1_m68k.deb > MD5 checksum: 94fa954c37a23af00976b231bf1fd4f6 > http://security.debian.org/dists/potato/updates/main/binary-m68k/php4_4.0.3-0potato1_m68k.deb > MD5 checksum: ca8ff47ba9b93365b9d05ba397b02608 > PowerPC architecture: > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-gd_4.0.3-0potato1_powerpc.deb > MD5 checksum: 77f491b502259bba05cbe3a0ee1366f3 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-imap_4.0.3-0potato1_powerpc.deb > MD5 checksum: 920705ee0db58017de6a45e3343e9903 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-ldap_4.0.3-0potato1_powerpc.deb > MD5 checksum: 89a30a1bdba82ab3b97c4a15d592b9e0 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-mhash_4.0.3-0potato1_powerpc.deb > MD5 checksum: dea22760f061bea67e95336b145965f6 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-mysql_4.0.3-0potato1_powerpc.deb > MD5 checksum: a62c51d74bf005ac33aef5f20976a26c > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-pgsql_4.0.3-0potato1_powerpc.deb > MD5 checksum: e8594ffbda40270ce33510307cd2b8c9 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-snmp_4.0.3-0potato1_powerpc.deb > MD5 checksum: 5f463d50289c4d73085a1c06317b2d0c > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi-xml_4.0.3-0potato1_powerpc.deb > MD5 checksum: 67a88882315b6a80e52066b15a5430f1 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-cgi_4.0.3-0potato1_powerpc.deb > MD5 checksum: 562d0f98df13c64446b5f9157b164890 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-gd_4.0.3-0potato1_powerpc.deb > MD5 checksum: 5cd5a5c626174e945804a9eeb78b357b > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-imap_4.0.3-0potato1_powerpc.deb > MD5 checksum: b79798b045e33f1633948b3f9187fd17 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-ldap_4.0.3-0potato1_powerpc.deb > MD5 checksum: 46d1767444a584cc5857fcf4ad69c1d7 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-mhash_4.0.3-0potato1_powerpc.deb > MD5 checksum: c885eb618264bbd7ed40182176c9a627 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-mysql_4.0.3-0potato1_powerpc.deb > MD5 checksum: 4761cb89398d57b0faffd8266775c008 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-pgsql_4.0.3-0potato1_powerpc.deb > MD5 checksum: 5caecc8f2ab14ea88f18be1e28158113 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-snmp_4.0.3-0potato1_powerpc.deb > MD5 checksum: 644c612dc6311f8fb1eaa7a7e5292341 > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4-xml_4.0.3-0potato1_powerpc.deb > MD5 checksum: f8de34081f2cd5a7373eb441b797d3df > http://security.debian.org/dists/potato/updates/main/binary-powerpc/php4_4.0.3-0potato1_powerpc.deb > MD5 checksum: eb844ebce5c2674c0981295d0992d9ff > Sun Sparc architecture: > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-gd_4.0.3-0potato1_sparc.deb > MD5 checksum: d467f114370d358e0a02ea1de2495b4e > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-imap_4.0.3-0potato1_sparc.deb > MD5 checksum: fb9d8131160fd7915bd1e2c700662323 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-ldap_4.0.3-0potato1_sparc.deb > MD5 checksum: 9eed208d160ba83cab07a99d83448800 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-mhash_4.0.3-0potato1_sparc.deb > MD5 checksum: a90eb840733313cc4daf1e57f3cddf63 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-mysql_4.0.3-0potato1_sparc.deb > MD5 checksum: ee479f23bad040b9fa4fc960bb0998b8 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-pgsql_4.0.3-0potato1_sparc.deb > MD5 checksum: 6339a967c077b4eae3cf32974657759c > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-snmp_4.0.3-0potato1_sparc.deb > MD5 checksum: 2cda52b681eb985958135434edeb5ae6 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi-xml_4.0.3-0potato1_sparc.deb > MD5 checksum: 756fa42bf5d0af442291efa6ad719b38 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-cgi_4.0.3-0potato1_sparc.deb > MD5 checksum: f4dbb48a2c0c904d3180e4699426f20a > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-gd_4.0.3-0potato1_sparc.deb > MD5 checksum: 90f994f67c2a0a902a16aeb2acac9556 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-imap_4.0.3-0potato1_sparc.deb > MD5 checksum: 17997e09572e612f4fc3d0aad8b74fe8 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-ldap_4.0.3-0potato1_sparc.deb > MD5 checksum: a9985cd2954c5d44d6e7a57d717c0097 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-mhash_4.0.3-0potato1_sparc.deb > MD5 checksum: 49aa1c86cb9ec06c17bc2d727b75e1b0 > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-mysql_4.0.3-0potato1_sparc.deb > MD5 checksum: bac338543482d242d1c5cd936690eb1f > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-pgsql_4.0.3-0potato1_sparc.deb > MD5 checksum: 5f8ff8caf9086525012db9234a94ff8c > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-snmp_4.0.3-0potato1_sparc.deb > MD5 checksum: 5d20c6b5fce5bbeb04a422a7ee3cbadd > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4-xml_4.0.3-0potato1_sparc.deb > MD5 checksum: e0360986406d5f566356f0389bd338dc > http://security.debian.org/dists/potato/updates/main/binary-sparc/php4_4.0.3-0potato1_sparc.deb > MD5 checksum: c25c1000ce84068fb5ae3b0c36a2c154 > Debian GNU/Linux Unstable alias woody > ------------------------------------- Debian GNU/Linux 開発版 別名 woody > This version of Debian is not yet released. Debian のこのバージョンは、まだリリースされていません。 > Fixes are currently available for Alpha and Intel ia32 in the Debian > archives; fixes for other architectures will be made available shortly. 現在、Alpha と Intel ia32 版の修正版が Debian アーカイブにあります。 ほかのアーキテクチャの修正版もまもなく利用可能になります。 > ---------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > Mailing list: debian-security-announce@lists.debian.org -- 喜瀬“冬猫”浩@南国沖縄
Attachment:
pgpkltMwQoB4Y.pgp
Description: PGP signature