Security Advisory Critical: php security update

Advisory: RHSA-2014:1825-1
Type: Security Advisory
Severity: Critical
Issued on: 2014-11-06
Last updated on: 2014-11-06
Affected Products: Red Hat Enterprise Linux ELS (v. 4)
CVEs (cve.mitre.org): CVE-2014-8626

Details

Updated php packages that fix one security issue are now available for Red
Hat Enterprise Linux 4 Extended Life Cycle Support.

Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

A stack-based buffer overflow flaw was found in the way the xmlrpc
extension parsed dates in the ISO 8601 format. A specially crafted XML-RPC
request or response could possibly cause a PHP application to crash or
execute arbitrary code with the privileges of the user running that PHP
application. (CVE-2014-8626)

All php users are advised to upgrade to these updated packages, which
contain a backported patch to correct this issue. After installing the
updated packages, the httpd daemon must be restarted for the update to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux ELS (v. 4)

SRPMS:
php-4.3.9-3.38.el4.src.rpm     MD5: 49f61a3395a2df944bb4966e4030c8ef
SHA-256: 9ed2e8a8877dbf364bd72b2071471454c76aec55575b0be9ba3d9c934657ece3
 
IA-32:
php-4.3.9-3.38.el4.i386.rpm     MD5: e2cd8b599db6bebd0485751422fba7d2
SHA-256: 0b08a9884d85eec7cb4837d1ce82ca3988c241374576451527f88f6a97a6499f
php-devel-4.3.9-3.38.el4.i386.rpm     MD5: d96a0be2cf0cb761a0f848810bf8836a
SHA-256: 0ae4e704e874d6c2592f17724149fd7319c491ca152985078cab45669c4412b6
php-domxml-4.3.9-3.38.el4.i386.rpm     MD5: a3edf1d6cb28d2cda79dda5f7246bc07
SHA-256: 714600c127c4e0f8c0c1e09c655a66c6fa84985c3b7eea2851951c37c8e3d8e5
php-gd-4.3.9-3.38.el4.i386.rpm     MD5: baa50385c5319de5a05591de0a888982
SHA-256: aa50c481f687f662e05ce23c17d7ef3e9fab9cc6cbd0339748f115f74669f55a
php-imap-4.3.9-3.38.el4.i386.rpm     MD5: bdcad7ea351cde04b8b86f280444334e
SHA-256: 9098269ac8960b6176f69458828f37dee97de46cd0d6cac0ca53b1c2220255d2
php-ldap-4.3.9-3.38.el4.i386.rpm     MD5: 0bba076f76c4579cf3243b946e5b11fb
SHA-256: 7039048eb9ec21d680e9b1d9b661af04b56d2be1b58617ad4c4f00014030cdd9
php-mbstring-4.3.9-3.38.el4.i386.rpm     MD5: a169bbc4729f8eb0e6ca925407ea09a5
SHA-256: 85b8c81711a7939ede99115e673778095ddb72b788353127595a24f35dc2fa80
php-mysql-4.3.9-3.38.el4.i386.rpm     MD5: 0953ab0e81e325a0c7f82ccaaa91e08e
SHA-256: 9feab618311c4202adbf67b57978dd0bd0a176ff7efad5c463dd1630cd5b356e
php-ncurses-4.3.9-3.38.el4.i386.rpm     MD5: 212530b2044655405f01fd5553eeade6
SHA-256: 3daee02dab8cee8e1a00e138f15fc1acf7e68e515868b0ac9cb6e5c8776387e4
php-odbc-4.3.9-3.38.el4.i386.rpm     MD5: 4f0af21d802025949a2873e8a8828a7d
SHA-256: 385255bec7ada0f0a44d49a8b95565c452f5fc7cd69b8ff82f9e2de7d191be76
php-pear-4.3.9-3.38.el4.i386.rpm     MD5: e8c5fe9f3e5aa1686208820f61f41c6d
SHA-256: 82d546817a18f2c6c6b2ea3d9ac5f55dd36550c21ee508d68aa4609e942bfb0b
php-pgsql-4.3.9-3.38.el4.i386.rpm     MD5: 172806d758f6de9e5096d39295afab07
SHA-256: e4f0a8397362edb02bb336497ffcf258c3b88324a2d655f75a95e0ab57c2e172
php-snmp-4.3.9-3.38.el4.i386.rpm     MD5: 70361ba00f9ceb3b97aa64e7cdd732fb
SHA-256: e032775f8a456d38dfe74bd2c3c5d9a9dcfd8940fc368766937879cc39f2d0d9
php-xmlrpc-4.3.9-3.38.el4.i386.rpm     MD5: a6097c5b400ada6909a821dd8f3d9082
SHA-256: 8ca7055523d3e72fa0bba980e319bb6631e988f5fe26e913443d70c9476c2d19
 
IA-64:
php-4.3.9-3.38.el4.ia64.rpm     MD5: 9ae3ef807a1df04b1253dc03093f43bf
SHA-256: 53a8fb279d3a1feff69d7ec2af1dcf9a0983669386d426a03b7b9bb0d0e6ac82
php-devel-4.3.9-3.38.el4.ia64.rpm     MD5: a08728714673d7a630cd81a464eb3f88
SHA-256: 28d4bf8b3ab2fc6a8d0cca86f0892594ec49abc884c07f5db0d27901a9e83cc2
php-domxml-4.3.9-3.38.el4.ia64.rpm     MD5: 9be19c5606cbc86d1949a71f761497a3
SHA-256: 8f37188ce4928d43c40ac67788d3c2f2945254dc929876b335af86d977ebb98d
php-gd-4.3.9-3.38.el4.ia64.rpm     MD5: 9adbda06364f6a4e783a53ee57284312
SHA-256: dfd4b5c94fcb92db0fc4573442ba8536b7a6946b847a0e1af1666f173ddd91eb
php-imap-4.3.9-3.38.el4.ia64.rpm     MD5: feb948d1ec4c09990b3dc2f25fc34063
SHA-256: db051fc84c9aa9a80a6add452d37f1a2bbdfb80e9c458cca0693e01548825cee
php-ldap-4.3.9-3.38.el4.ia64.rpm     MD5: 6d82387bba0092957abcade152319154
SHA-256: d8dc4060db3d0289fd1d09ad716a7787ed4f831de9684be34bcadafe2a090c61
php-mbstring-4.3.9-3.38.el4.ia64.rpm     MD5: 940c36205b95e717d663096d44d9fb99
SHA-256: 7e60c7a694dfc293f5caeca5fb4a2563e870ec85a1d54eb699f943fff060da4e
php-mysql-4.3.9-3.38.el4.ia64.rpm     MD5: e5365985dd93da1382addbd1025b9a37
SHA-256: af08676a485e5d736c86602edbff35a42d6e16fc263c8f8c8acca11b3ae48bfb
php-ncurses-4.3.9-3.38.el4.ia64.rpm     MD5: dfbf77ac51c86b0d3fe6d880460d824c
SHA-256: 295bab832092a5bd90a2e77d5e066e7e5f4ec88cf6058c1de8fe4efec5bbd14d
php-odbc-4.3.9-3.38.el4.ia64.rpm     MD5: adbd5c98425b39944b8ea4b0376f696a
SHA-256: 61e9bf82035b865804c5e8ededb05ad6abf601e196163098c60f4682d4a3c4ee
php-pear-4.3.9-3.38.el4.ia64.rpm     MD5: 6ccff68eb85aad0bfef05067c898ed0a
SHA-256: 6d46c41bab26ef61d4c02f5edda6459f5202c15f907b9340a4cf9b1f2af57889
php-pgsql-4.3.9-3.38.el4.ia64.rpm     MD5: 297be01e63db6c8631b3d977db5cea15
SHA-256: 0be31f1d6f29b3bb7e11c4433200d69681840320dafd0cdb4d81a69772105912
php-snmp-4.3.9-3.38.el4.ia64.rpm     MD5: 83333cca206538d880212b14adec4b65
SHA-256: 32bbeb2139d14d14a8ad3476491719afba3177ffa9f41be5831f96ff202853b5
php-xmlrpc-4.3.9-3.38.el4.ia64.rpm     MD5: 634d917c960821e7ec01a66efab2b678
SHA-256: a00184cd292fc9d082386596740251d68fd8580ece63636d3f54e31560056070
 
x86_64:
php-4.3.9-3.38.el4.x86_64.rpm     MD5: 1635617eeea672e43d355365572d87c9
SHA-256: c9bbc6810e5cff0f0a06fe9987f4c19421330797e0849a30b179e8dc7473bbf3
php-devel-4.3.9-3.38.el4.x86_64.rpm     MD5: e969b80a56ed700fc5ba853acc23c7a4
SHA-256: 28beea4d7ab2414806625df6548ff788e530b62bf7208422ef88cf8013ea3e2e
php-domxml-4.3.9-3.38.el4.x86_64.rpm     MD5: 5f35ba758e6fc9cf266e5f026687018e
SHA-256: 8341e779d30b391eaf17cc3d93d97a3e189519cff1a0cfd27f28904677793f54
php-gd-4.3.9-3.38.el4.x86_64.rpm     MD5: f91c7cf85aabad765e4ec07c6e3c3b73
SHA-256: e3e79f1d019cb39e947d1cd5fbe75e29e82a7294f12bfaa3e06bf46c5fa69e8a
php-imap-4.3.9-3.38.el4.x86_64.rpm     MD5: 9956f40d0c8f9a7668983cb8ffe1a7e4
SHA-256: 4b7bbc2dc12b864687380d9e8d85782cbc7d11a2b6acbecce53520d6b5abbad3
php-ldap-4.3.9-3.38.el4.x86_64.rpm     MD5: 81ffaa46a55dc399109b26106a14c649
SHA-256: 08ce26b8c124bf5ee01a1e34768f33b8963785872bf00f9de8af2b9ab966197e
php-mbstring-4.3.9-3.38.el4.x86_64.rpm     MD5: 722133c3020c768609c22870026d6658
SHA-256: 755107e87f10ab42bd04dc7c57b6c6111df88e06d76b7b533a84726c14d5563d
php-mysql-4.3.9-3.38.el4.x86_64.rpm     MD5: a824f668d73f72939daf8776cc88715b
SHA-256: 5761e1a40918ba8041695c3e6f8b9b1afbe95bed11fa27b7d9dd1cb932005198
php-ncurses-4.3.9-3.38.el4.x86_64.rpm     MD5: 0eb288772fc5adbae3f08d17c4f7b447
SHA-256: 9ac7ca5c67867c24714f97b810ab6bde363f135afe097d8ae50c0cf023ed2f94
php-odbc-4.3.9-3.38.el4.x86_64.rpm     MD5: fbd35aa16ecdb1501bd1534ab1a72f8d
SHA-256: 2e83604dbb8fb2b76ae7b44e10bae894e00f11aa0140a7734ee1ba6b19500d36
php-pear-4.3.9-3.38.el4.x86_64.rpm     MD5: 2a8288d0b2d646b1cf0f1f611d3612c3
SHA-256: 299e8cc8cc5c01a5658150197eb361389ee39d9110d0f24d8c20e79253f08c08
php-pgsql-4.3.9-3.38.el4.x86_64.rpm     MD5: 0d6649baf1ba149d62622a43eba9bd70
SHA-256: d3ef2fc88b24a49be3b794ecc257c50b10ea95e413a3b26d45c3b44e0845b6ba
php-snmp-4.3.9-3.38.el4.x86_64.rpm     MD5: a0389944b4bd6cc74031ce2209c14e06
SHA-256: e32b37d532b934b4a8a2c9d52fd7bb32d77335be343092dcda3786f7ba90f488
php-xmlrpc-4.3.9-3.38.el4.x86_64.rpm     MD5: b6f8136d1a905e207d935d68ee2c2f85
SHA-256: 1b2cc14afa482c0f56bf175c53ba379dca3a553c549f761d28f24b5dc191b7cc
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1155607 - CVE-2014-8626 php: xmlrpc ISO8601 date format parsing buffer overflow


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/