Security Advisory Moderate: Red Hat Application Stack v2.1 security and enhancement update

Advisory: RHSA-2008:0505-12
Type: Security Advisory
Severity: Moderate
Issued on: 2008-07-02
Last updated on: 2008-07-02
Affected Products: Red Hat Application Stack v2
OVAL: N/A
CVEs (cve.mitre.org): CVE-2007-4782
CVE-2007-5898
CVE-2007-5899
CVE-2008-0599
CVE-2008-2051
CVE-2008-2079
CVE-2008-2107
CVE-2008-2108

Details

Red Hat Application Stack v2.1 is now available. This update fixes various
security issues and adds several enhancements.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The Red Hat Application Stack is an integrated open source application
stack, and includes JBoss Enterprise Application Platform (EAP).

Starting with this update, JBoss EAP is no longer provided via the
Application Stack channels. Instead, all Application Stack customers are
automatically entitled to the JBoss EAP channels. This ensures all users
have immediate access to JBoss EAP packages when they are released,
ensuring lesser wait for security and critical patches.

As a result, you must MANUALLY subscribe to the appropriate JBoss EAP
channel, as all further JBoss EAP updates will only go to that channel.

This update also entitles all customers to the JBoss EAP 4.3.0 channels.
Users receive support for JBoss EAP 4.3.0 if they choose to install it.
Important: downgrading from JBoss EAP 4.3.0 to 4.2.0 is unsupported.

PHP was updated to version 5.2.6, fixing the following security issues:

It was discovered that the PHP escapeshellcmd() function did not properly
escape multi-byte characters which are not valid in the locale used by the
script. This could allow an attacker to bypass quoting restrictions imposed
by escapeshellcmd() and execute arbitrary commands if the PHP script was
using certain locales. Scripts using the default UTF-8 locale are not
affected by this issue. (CVE-2008-2051)

The PHP functions htmlentities() and htmlspecialchars() did not properly
recognize partial multi-byte sequences. Certain sequences of bytes could be
passed through these functions without being correctly HTML-escaped.
Depending on the browser being used, an attacker could use this flaw to
conduct cross-site scripting attacks. (CVE-2007-5898)

A PHP script which used the transparent session ID configuration option, or
which used the output_add_rewrite_var() function, could leak session
identifiers to external web sites. If a page included an HTML form with an
ACTION attribute referencing a non-local URL, the user's session ID would
be included in the form data passed to that URL. (CVE-2007-5899)

It was discovered that the PHP fnmatch() function did not restrict the
length of the string argument. An attacker could use this flaw to crash the
PHP interpreter where a script used fnmatch() on untrusted input data.
(CVE-2007-4782)

It was discovered that PHP did not properly seed its pseudo-random number
generator used by functions such as rand() and mt_rand(), possibly allowing
an attacker to easily predict the generated pseudo-random values.
(CVE-2008-2107, CVE-2008-2108)

A flaw was found in PHP's CGI server API. If the web server did not set
DOCUMENT_ROOT environment variable for PHP (e.g. when running PHP in the
FastCGI server mode), an attacker could cause a crash of the PHP child
process, causing a temporary denial of service. (CVE-2008-0599)

MySQL was updated to version 5.0.50sp1a, fixing the following security
issue:

MySQL did not correctly check directories used as arguments for the DATA
DIRECTORY and INDEX DIRECTORY directives. Using this flaw, an authenticated
attacker could elevate their access privileges to tables created by other
database users. Note: this attack does not work on existing tables. An
attacker can only elevate their access to another user's tables as the
tables are created. As well, the names of these created tables need to be
predicted correctly for this attack to succeed. (CVE-2008-2079)

The following packages are updated:

* httpd to 2.2.8
* mod_jk to 1.2.26
* mod_perl to 2.0.4
* the MySQL Connector/ODBC to 3.51.24r1071
* the MySQL Connector/J (JDBC driver) to 5.0.8
* perl-DBD-MySQL to 4.006
* perl-DBI to 1.604
* postgresql to 8.2.7
* postgresql-jdbc to 8.2.508
* postgresqlclient81 to 8.1.11
* postgresql-odbc to 8.02.0500


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Application Stack v2
SRPMS:
httpd-2.2.8-1.el5s2.src.rpm     3a7629c3f073fc9b38a2a99e379f8918
mod_jk-1.2.26-1.el5s2.src.rpm     f550f70743991ae8b2f0a42ffab0cc1d
mod_perl-2.0.4-3.el5s2.src.rpm     9835b083fcf2283fc5463bfe48b741e9
mysql-5.0.50sp1a-2.el5s2.src.rpm     dee620187dbc6cbdd35308f31ab71215
mysql-connector-odbc-3.51.24r1071-1.el5s2.src.rpm     33da366dbcda00963ee8376851265730
mysql-jdbc-5.0.8-1jpp.1.el5s2.src.rpm     a556f9f682eaefb56287fe2c6179715f
perl-DBD-MySQL-4.006-1.el5s2.src.rpm     7c5fd3de70fce8752cb54c317f3863d8
perl-DBI-1.604-1.el5s2.src.rpm     0a1844085fff1d980f0d4c65a41fb27e
php-5.2.6-2.el5s2.src.rpm     50706f36c326d8a712aec1d79abe703c
postgresql-8.2.9-1.el5s2.src.rpm     0d155cf676037a13cde41d5a20652859
postgresql-jdbc-8.2.508-1jpp.el5s2.src.rpm     c3fdd75b5ef64058f9754e650aba31c3
postgresql-odbc-08.02.0500-1.el5s2.src.rpm     6e24fb99ae3c8304942af4306a1f1ebb
postgresqlclient81-8.1.11-1.el5s2.src.rpm     456d64ae374484d9d86849ee19bbbcbc
unixODBC-2.2.12-8.el5s2.src.rpm     4fa906b652d2d0a202f3d2626e4f5de7
 
IA-32:
httpd-2.2.8-1.el5s2.i386.rpm     c980db7f747457934c68a256e16644de
httpd-devel-2.2.8-1.el5s2.i386.rpm     7600fdea50cdcb411ca0dbc78e60d97d
httpd-manual-2.2.8-1.el5s2.i386.rpm     d28a8af425171853be020cb8e5f9921b
mod_jk-ap20-1.2.26-1.el5s2.i386.rpm     fd2ea2c82ff879e4713ad779a60a9bef
mod_perl-2.0.4-3.el5s2.i386.rpm     011203a5aa196ffff8962209488479ad
mod_perl-devel-2.0.4-3.el5s2.i386.rpm     62267dbef4c1793f32ccae8c11a98d85
mod_ssl-2.2.8-1.el5s2.i386.rpm     f740ae92fea2fa8e39eaf01396d7aa9f
mysql-5.0.50sp1a-2.el5s2.i386.rpm     d425646f7c112dd93be16c72d0a05f7a
mysql-bench-5.0.50sp1a-2.el5s2.i386.rpm     2bd9b78202658ca0980ddb7c43c8fe12
mysql-cluster-5.0.50sp1a-2.el5s2.i386.rpm     b0aa9012afa3e420426b4b965146b51c
mysql-connector-odbc-3.51.24r1071-1.el5s2.i386.rpm     5951be9c96681d349422c7e6a508eada
mysql-devel-5.0.50sp1a-2.el5s2.i386.rpm     9e2ee3b2eca8a37c4f07534f1fa375e6
mysql-jdbc-5.0.8-1jpp.1.el5s2.noarch.rpm     bdd46ffc4a00d57da79d88c8870ae2c6
mysql-libs-5.0.50sp1a-2.el5s2.i386.rpm     0dd9c46f3ece7d8eef30a4b0f3d257bb
mysql-server-5.0.50sp1a-2.el5s2.i386.rpm     463cf26b0ca1cfe9d9783cc20ca17672
mysql-test-5.0.50sp1a-2.el5s2.i386.rpm     824471bba1eb63f0fd5d2c8acd6aef53
perl-DBD-MySQL-4.006-1.el5s2.i386.rpm     2da2f0fe325f141631eebb014fc13fa4
perl-DBI-1.604-1.el5s2.i386.rpm     4a4a00038c585b47667801962b08b9da
php-5.2.6-2.el5s2.i386.rpm     d7f8aab9906866fd49c0dbff7657781d
php-bcmath-5.2.6-2.el5s2.i386.rpm     ccea42f64bdfd33413e47d384dad5b13
php-cli-5.2.6-2.el5s2.i386.rpm     c5c50b4fe59caf1c454f277da3b660c2
php-common-5.2.6-2.el5s2.i386.rpm     459003634a783a5367aadfb881e074c1
php-dba-5.2.6-2.el5s2.i386.rpm     a91c1b48275172711776b4740e5e8d67
php-devel-5.2.6-2.el5s2.i386.rpm     b631bbe6aba76a3a0d1618aeefdcb540
php-gd-5.2.6-2.el5s2.i386.rpm     0936dc27f9d760ad6443c742d4d468a1
php-imap-5.2.6-2.el5s2.i386.rpm     368cb646ef916d271ef9ec2185d77b76
php-ldap-5.2.6-2.el5s2.i386.rpm     7641d276c0f20b62a61f8d7b8d5a97b8
php-mbstring-5.2.6-2.el5s2.i386.rpm     615155811cccbef6b755e380bbdcb160
php-mysql-5.2.6-2.el5s2.i386.rpm     088bc20ff91e133a17c5e01ca3c50c64
php-ncurses-5.2.6-2.el5s2.i386.rpm     3b624cc63f8d9b37b0ba4671b995f2d5
php-odbc-5.2.6-2.el5s2.i386.rpm     c2fcc43c7943ea1268b29ab7d6fb1892
php-pdo-5.2.6-2.el5s2.i386.rpm     fe1b012eb1bc93b2f09949e182e880d7
php-pgsql-5.2.6-2.el5s2.i386.rpm     11e92ad29f08e2dc8a5406b746009fcd
php-snmp-5.2.6-2.el5s2.i386.rpm     c29c617d80fc5c235ba655930c9482c3
php-soap-5.2.6-2.el5s2.i386.rpm     e0dabe6c8a4f0b00acee0e240a0d8411
php-xml-5.2.6-2.el5s2.i386.rpm     c3a7a1c444f72ae313070a4275c9d7ff
php-xmlrpc-5.2.6-2.el5s2.i386.rpm     0cfb6ac670441326c98b75a5ffe7d1a1
postgresql-8.2.9-1.el5s2.i386.rpm     8744bcac63aeb1c28e300dd4ec73e929
postgresql-contrib-8.2.9-1.el5s2.i386.rpm     413b47784d4c4fd4449423f6cfe9d9a1
postgresql-devel-8.2.9-1.el5s2.i386.rpm     4cb8d1f845993a7bca5b0bf7f228e6ac
postgresql-docs-8.2.9-1.el5s2.i386.rpm     82ba3acdb107647c7322c5c1a94ed898
postgresql-jdbc-8.2.508-1jpp.el5s2.i386.rpm     732db14f0c53b7ba19b62e6b93b58f4a
postgresql-libs-8.2.9-1.el5s2.i386.rpm     01a7ae4dd35584a7d0c98bbc5466d018
postgresql-odbc-08.02.0500-1.el5s2.i386.rpm     dfa12e06d755870ea60e00958c75ef1a
postgresql-plperl-8.2.9-1.el5s2.i386.rpm     5f2e8668bdc718d4951438eff85962e1
postgresql-plpython-8.2.9-1.el5s2.i386.rpm     d288116016768e50cdd84efbbda5e33e
postgresql-pltcl-8.2.9-1.el5s2.i386.rpm     6200e2982137243118c83fb298135ec9
postgresql-python-8.2.9-1.el5s2.i386.rpm     ab6e27f2331fdb90bacc476cb7952aca
postgresql-server-8.2.9-1.el5s2.i386.rpm     17062db6b66f8f3f7040dd815e4172ec
postgresql-tcl-8.2.9-1.el5s2.i386.rpm     c0b514eaff55dd440fef7f80a4283e32
postgresql-test-8.2.9-1.el5s2.i386.rpm     f6983989792738553093dbf307f51103
postgresqlclient81-8.1.11-1.el5s2.i386.rpm     5c59f3ca0344f63f23a5b8b77c015170
unixODBC-2.2.12-8.el5s2.i386.rpm     fdf4a4fc2ff5445d7d8e665c764ba3e6
unixODBC-devel-2.2.12-8.el5s2.i386.rpm     919c811803547f8064cf0b53221c1fc8
unixODBC-kde-2.2.12-8.el5s2.i386.rpm     f57919657dd66cc910728d995dbac9a4
 
x86_64:
httpd-2.2.8-1.el5s2.x86_64.rpm     15e6903c176377da395e3e359bde1477
httpd-devel-2.2.8-1.el5s2.x86_64.rpm     02a5b0a3a60120597821fc7cc5e04606
httpd-manual-2.2.8-1.el5s2.x86_64.rpm     561c8d7eafef955e1054afe178c5145d
mod_jk-ap20-1.2.26-1.el5s2.x86_64.rpm     4f7ab058924788559db2fead237da6d6
mod_perl-2.0.4-3.el5s2.x86_64.rpm     5e3f218f07501694e2ceec48d0352202
mod_perl-devel-2.0.4-3.el5s2.x86_64.rpm     c7bf52448ca0271b0b42948defb98a32
mod_ssl-2.2.8-1.el5s2.x86_64.rpm     94e5324b3f3278b0a32844c5092156c4
mysql-5.0.50sp1a-2.el5s2.x86_64.rpm     31e0cd2d6014ca2d9490524d3152af84
mysql-bench-5.0.50sp1a-2.el5s2.x86_64.rpm     9f42d5eba3c0062d67750bb04058c534
mysql-cluster-5.0.50sp1a-2.el5s2.x86_64.rpm     f92339fc48641b15f27b4d35ec00e5bd
mysql-connector-odbc-3.51.24r1071-1.el5s2.x86_64.rpm     e1b36524b875af2b864e9c6c60398996
mysql-devel-5.0.50sp1a-2.el5s2.x86_64.rpm     8d6224f110943aad1a45fc77a93631ca
mysql-jdbc-5.0.8-1jpp.1.el5s2.noarch.rpm     bdd46ffc4a00d57da79d88c8870ae2c6
mysql-libs-5.0.50sp1a-2.el5s2.x86_64.rpm     7b3f0e78d661c84b8844fdc486e8e5d7
mysql-server-5.0.50sp1a-2.el5s2.x86_64.rpm     bc458c5a01c1be657fd2a4ab4dc5fd23
mysql-test-5.0.50sp1a-2.el5s2.x86_64.rpm     bf3778a93fc1364886b7874792d42ff9
perl-DBD-MySQL-4.006-1.el5s2.x86_64.rpm     ba9aad7f71b19153ff9094083bb632a3
perl-DBI-1.604-1.el5s2.x86_64.rpm     605f9747de11617c92dcf9d2c68c3acc
php-5.2.6-2.el5s2.x86_64.rpm     988a02d420f403462842981dde7ad704
php-bcmath-5.2.6-2.el5s2.x86_64.rpm     79bfb518b5f71af504e858cfc82c4c46
php-cli-5.2.6-2.el5s2.x86_64.rpm     0359316ce574f390fa0073a0938fe308
php-common-5.2.6-2.el5s2.x86_64.rpm     1ea927a7bf9c487555869539c01941e1
php-dba-5.2.6-2.el5s2.x86_64.rpm     fae2870feb1073a5ac027749565b2ded
php-devel-5.2.6-2.el5s2.x86_64.rpm     4fc77bcbd1da33ef770a7c9d9298bf76
php-gd-5.2.6-2.el5s2.x86_64.rpm     860df572f887f70c9f3ecff882fa04b7
php-imap-5.2.6-2.el5s2.x86_64.rpm     9ce7189eae04193fee4f27adbbc97c20
php-ldap-5.2.6-2.el5s2.x86_64.rpm     4b8e5902662dd4f8ffe3c326dc9be6fa
php-mbstring-5.2.6-2.el5s2.x86_64.rpm     388e4772b864e9177520a5c65503545f
php-mysql-5.2.6-2.el5s2.x86_64.rpm     0cac757d3fecf15e511e96d118b7fbcd
php-ncurses-5.2.6-2.el5s2.x86_64.rpm     5e8c809cf0b2e9a088643067a2925160
php-odbc-5.2.6-2.el5s2.x86_64.rpm     64210c89894a1f7412dea8ae2abb59ca
php-pdo-5.2.6-2.el5s2.x86_64.rpm     6423dae94f5513eead9bf8b1573579aa
php-pgsql-5.2.6-2.el5s2.x86_64.rpm     ded2b9cf8958cb41762e30f0aea31fef
php-snmp-5.2.6-2.el5s2.x86_64.rpm     927089d691cca08f5922247205186ef2
php-soap-5.2.6-2.el5s2.x86_64.rpm     f910b61458fabf3d1e764f765650b328
php-xml-5.2.6-2.el5s2.x86_64.rpm     1151c4e1b9da9c8fdb1254b7990ad8e0
php-xmlrpc-5.2.6-2.el5s2.x86_64.rpm     9db5a731472501691b526c83453f513d
postgresql-8.2.9-1.el5s2.x86_64.rpm     32eb3651ff3bc46d5763fe71f9a952b6
postgresql-contrib-8.2.9-1.el5s2.x86_64.rpm     c01f042e2feab4ef5da600f02e69db93
postgresql-devel-8.2.9-1.el5s2.x86_64.rpm     e71e20044d9266ab59860ee0cbbacd67
postgresql-docs-8.2.9-1.el5s2.x86_64.rpm     e0a22c99e372a38307e6f54342657145
postgresql-jdbc-8.2.508-1jpp.el5s2.x86_64.rpm     c31b4b607ffb4d17e561ac40b4bcd33f
postgresql-libs-8.2.9-1.el5s2.x86_64.rpm     ae6a63111335d57ba4678fb97d56344c
postgresql-odbc-08.02.0500-1.el5s2.x86_64.rpm     642008c7f15212ed2ec80cc29ce09754
postgresql-plperl-8.2.9-1.el5s2.x86_64.rpm     416d008c24989de77ac6863354277f94
postgresql-plpython-8.2.9-1.el5s2.x86_64.rpm     5aed43d49907f29872491effc53219cb
postgresql-pltcl-8.2.9-1.el5s2.x86_64.rpm     d6c4c67e72d13bf84de78a5ebdda45b6
postgresql-python-8.2.9-1.el5s2.x86_64.rpm     dfcb08931d1a167f1a375a0e20d28ff7
postgresql-server-8.2.9-1.el5s2.x86_64.rpm     650af136fcc1bc8e7fb2103bd1774b7b
postgresql-tcl-8.2.9-1.el5s2.x86_64.rpm     d4f22ca5c07e0cbef95f45e9adff699a
postgresql-test-8.2.9-1.el5s2.x86_64.rpm     08f73e185bd349b846ed5fb6c61d5c67
postgresqlclient81-8.1.11-1.el5s2.x86_64.rpm     9ba4ce608b372d2b9c158e57d23008d5
unixODBC-2.2.12-8.el5s2.x86_64.rpm     743e157b03cd87cfe8afc1a5578475d1
unixODBC-devel-2.2.12-8.el5s2.x86_64.rpm     aa49a45ceaa88e5a19ea7fd8555d1e24
unixODBC-kde-2.2.12-8.el5s2.x86_64.rpm     768e4319bb16ca4f12614280ae22ee0c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

285881 - CVE-2007-4782 php crash in glob() and fnmatch() functions
382411 - CVE-2007-5898 php htmlentities/htmlspecialchars multibyte sequences
382431 - CVE-2007-5899 php session ID leakage
445003 - CVE-2008-0599 php: buffer overflow in a CGI path translation
445006 - CVE-2008-2051 PHP multibyte shell escape flaw
445222 - CVE-2008-2079 mysql: privilege escalation via DATA/INDEX DIRECTORY directives
445684 - CVE-2008-2107 PHP 32 bit weak random seed
445685 - CVE-2008-2108 PHP weak 64 bit random seed


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5898
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2107
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2108
http://www.redhat.com/docs/en-US/Red_Hat_Application_Stack/2.1/html-single/Release_Notes/
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/