-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0033

Package name:      mod_php{3,4}
Summary:           Security fix
Date:              2002-02-28
Affected versions: TSL 1.1, 1.2, 1.5

- --------------------------------------------------------------------------

Problem description:
  The php-package in TSL 1.1 and 1.2, had the following issues: 
  - broken boundary check (hard to exploit)
  - arbitrary heap overflow  (easy exploitable)
  These are now fixed. Also we upgraded from 3.0.17 to 3.0.18.
  The mod_php4 package in TSL 1.5 had the following issue:
  - broken boundary check (very easy to exploit, but not an issue in the
  default TSL configuration). This issue has also been adressed.

Action:
  We recommend that all systems with this package installed are upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All TSL updates are available from
  <URI:http://www.trustix.net/pub/Trustix/updates/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.

  Get SWUP from:
  <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
  These packages have been available for public testing for some time.
  If you want to contribute by testing the various packages in the
  testing tree, please feel free to share your findings on the
  tsl-discuss mailinglist.
  The testing tree is located at
  <URI:http://www.trustix.net/pub/Trustix/testing/>
  <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>
  

Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.net/support/>


Verification:
  This advisory along with all TSL packages are signed with the TSL sign key.
  This key is available from:
  <URI:http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.net/errata/trustix-1.2/> and
  <URI:http://www.trustix.net/errata/trustix-1.5/>
  or directly at
  <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0033-mod_phpX.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
e24fcaea112eb65d8bb0e83160714eb1  ./1.5/SRPMS/mod_php4-4.0.6-8tr.src.rpm
7b43397d31763a1606b1107e33592bc1  ./1.5/RPMS/mod_php4-pgsql-4.0.6-8tr.i586.rpm
87faf30b85be317a63b1269295c2f38b  ./1.5/RPMS/mod_php4-mysql-4.0.6-8tr.i586.rpm
0104ff0a8bda184e98e74b1a04612ae7  ./1.5/RPMS/mod_php4-ldap-4.0.6-8tr.i586.rpm
2203998823278dfd7feff06e1d769be1  ./1.5/RPMS/mod_php4-4.0.6-8tr.i586.rpm
4d79a20eb7fbcbb563d1849e332face5  ./1.2/SRPMS/mod_php3-3.0.18-1tr.src.rpm
9b9d54dba3a2ae38839df03efd97e128  ./1.2/RPMS/mod_php3-3.0.18-1tr.i586.rpm
4d79a20eb7fbcbb563d1849e332face5  ./1.1/SRPMS/mod_php3-3.0.18-1tr.src.rpm
b0a7ad2cbfda114a4c4fc993128609bd  ./1.1/RPMS/mod_php3-3.0.18-1tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8fjv0wRTcg4BxxS0RAix9AJ9v8SIVBTUFcqYvhSntBFh1NcmE1wCfaKbB
brzjYGrmwzUGUvruzWy85ps=
=ie0j
-----END PGP SIGNATURE-----