Security Advisory Important: php security update

Advisory: RHSA-2006:0731-3
Type: Security Advisory
Severity: Important
Issued on: 2006-11-10
Last updated on: 2006-11-10
Affected Products: Red Hat Application Stack v1 for Enterprise Linux AS (v.4)
Red Hat Application Stack v1 for Enterprise Linux ES (v.4)
OVAL: N/A
CVEs (cve.mitre.org): CVE-2006-5465

Details

Updated PHP packages that fix a security issue are now available for the
Red Hat Application Stack.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Web server.

The Hardened-PHP Project discovered an overflow in the PHP htmlentities()
and htmlspecialchars() routines. If a PHP script used the vulnerable
functions to parse UTF-8 data, a remote attacker sending a carefully
crafted request could trigger the overflow and potentially execute
arbitrary code as the 'apache' user. (CVE-2006-5465)

Users of PHP should upgrade to these updated packages which contain a
backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Application Stack v1 for Enterprise Linux AS (v.4)
SRPMS:
php-5.1.4-1.el4s1.5.src.rpm
File outdated by:  RHSA-2008:0582		     9161a1d8e9bce699d4bd831b9b0ca06f
 
IA-32:
php-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     83947aee60a8d3ee50e440de5ab47fd0
php-bcmath-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     13ae4bedc7e1687f5b6e49cfa778268c
php-dba-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     0acb5aeb696fae4b66613b0069498b43
php-devel-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     50e3d2f7054f9c06c1ed189859a263c7
php-gd-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     f28e19c9cf8f2862a5e7b5473646ad4c
php-imap-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     bbfb6117572d65c5ddef5867a1ba2602
php-ldap-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     e630f9ec2a88f94de7cffedbb69dc13f
php-mbstring-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     86628677256e0dcf96d5e5f1b6782e4b
php-mysql-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     0fe958c2a351bb83a612e62ec233adc4
php-ncurses-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     bf4c8581463c09a64e95aa9fb1bc7541
php-odbc-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     a3f61f9b1a3aaa1ae45a17609e3a883d
php-pdo-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     2776adfdc5b395a055e8c678cba4fc6e
php-pgsql-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     2fae4d10a2a18db6e1b30d7eb3cae8ad
php-snmp-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     d784de802fe900fe0f03cf7bfe2432a5
php-soap-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     5b97be5e2b5de8ed19950e284a0410d0
php-xml-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     f1bbc1d5bdc903b9d469ee1fc9993954
php-xmlrpc-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     ec864278247fe343b014e736b92fe393
 
x86_64:
php-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     6db081a10dfa5af39e2f2f150b3c91b7
php-bcmath-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     0f847444a2c2b9e2efa63b6430a2d1a2
php-dba-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     913527609e55127c5a62fa74ae7a055a
php-devel-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     f7e197b2b1507513b0d2fe10f9222749
php-gd-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     c0214169b8fbd802ab60d69ad7e8cdbf
php-imap-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     0073cb2971941a6f48b1d6d2ff9d8463
php-ldap-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     32139845801f794850ef3f9d5168e14c
php-mbstring-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     88a355fa5d7cab6dd63e16014d2667b9
php-mysql-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     6dd28379b47bf167b72c6d266fdd9ad7
php-ncurses-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     14c241ac5172c06eb6e61103932a3e2e
php-odbc-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     c3a70245150763eb9244a19206f6cbe5
php-pdo-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     a8616a5c2c84273ba6932aa8b93d5d72
php-pgsql-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     be110a73781f9d4856d020d9e2c84415
php-snmp-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     4a6ad0570e308e421351af1cb55ac3a3
php-soap-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     ab3ec9bf114ad466aeffb5be74f59bc5
php-xml-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     4453298b314c8bc9cfc8840f25037ac7
php-xmlrpc-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     a4cc0023fa194029b7fc57f295419b3b
 
Red Hat Application Stack v1 for Enterprise Linux ES (v.4)
SRPMS:
php-5.1.4-1.el4s1.5.src.rpm
File outdated by:  RHSA-2008:0582		     9161a1d8e9bce699d4bd831b9b0ca06f
 
IA-32:
php-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     83947aee60a8d3ee50e440de5ab47fd0
php-bcmath-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     13ae4bedc7e1687f5b6e49cfa778268c
php-dba-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     0acb5aeb696fae4b66613b0069498b43
php-devel-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     50e3d2f7054f9c06c1ed189859a263c7
php-gd-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     f28e19c9cf8f2862a5e7b5473646ad4c
php-imap-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     bbfb6117572d65c5ddef5867a1ba2602
php-ldap-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     e630f9ec2a88f94de7cffedbb69dc13f
php-mbstring-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     86628677256e0dcf96d5e5f1b6782e4b
php-mysql-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     0fe958c2a351bb83a612e62ec233adc4
php-ncurses-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     bf4c8581463c09a64e95aa9fb1bc7541
php-odbc-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     a3f61f9b1a3aaa1ae45a17609e3a883d
php-pdo-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     2776adfdc5b395a055e8c678cba4fc6e
php-pgsql-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     2fae4d10a2a18db6e1b30d7eb3cae8ad
php-snmp-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     d784de802fe900fe0f03cf7bfe2432a5
php-soap-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     5b97be5e2b5de8ed19950e284a0410d0
php-xml-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     f1bbc1d5bdc903b9d469ee1fc9993954
php-xmlrpc-5.1.4-1.el4s1.5.i386.rpm
File outdated by:  RHSA-2008:0582		     ec864278247fe343b014e736b92fe393
 
x86_64:
php-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     6db081a10dfa5af39e2f2f150b3c91b7
php-bcmath-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     0f847444a2c2b9e2efa63b6430a2d1a2
php-dba-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     913527609e55127c5a62fa74ae7a055a
php-devel-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     f7e197b2b1507513b0d2fe10f9222749
php-gd-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     c0214169b8fbd802ab60d69ad7e8cdbf
php-imap-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     0073cb2971941a6f48b1d6d2ff9d8463
php-ldap-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     32139845801f794850ef3f9d5168e14c
php-mbstring-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     88a355fa5d7cab6dd63e16014d2667b9
php-mysql-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     6dd28379b47bf167b72c6d266fdd9ad7
php-ncurses-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     14c241ac5172c06eb6e61103932a3e2e
php-odbc-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     c3a70245150763eb9244a19206f6cbe5
php-pdo-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     a8616a5c2c84273ba6932aa8b93d5d72
php-pgsql-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     be110a73781f9d4856d020d9e2c84415
php-snmp-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     4a6ad0570e308e421351af1cb55ac3a3
php-soap-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     ab3ec9bf114ad466aeffb5be74f59bc5
php-xml-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     4453298b314c8bc9cfc8840f25037ac7
php-xmlrpc-5.1.4-1.el4s1.5.x86_64.rpm
File outdated by:  RHSA-2008:0582		     a4cc0023fa194029b7fc57f295419b3b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

213644 - CVE-2006-5465 PHP buffer overflow


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5465
http://www.hardened-php.net/advisory_132006.138.html
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/