Mailing List Info
Slackware Logo

News

Security Advisories

FAQ

Book

General Info

Get Slack

Install Help

Configuration

Packages

ChangeLogs

Propaganda

Ports

Other Sites

Support

Contact

Mailing Lists
  Archives

About

 
From: Slackware Security Team <security@slackware.com>
To: slackware-security@slackware.com
Subject: [slackware-security] php5 (SSA:2007-152-01)
Date: Fri, 1 Jun 2007 14:19:18 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[slackware-security]  php5 (SSA:2007-152-01)

New php5 packages are available for Slackware 10.2, 11.0, and -current to
fix security issues.  PHP5 was considered a test package in Slackware 10.2,
and an "extra" package in Slackware 11.0.  If you are currently running
PHP4 you may wish to stick with that, as upgrading to PHP5 will probably
require changes to your system's configuration and/or web code.

More details about the issues affecting Slackware's PHP5 may be found in
the Common Vulnerabilities and Exposures (CVE) database:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872

One CVE-issued vulnerability (CVE-2007-1887) does not affect Slackware as
we do not ship an unbundled sqlite2 library.


Here are the details from the Slackware 11.0 ChangeLog:
+--------------------------+
extra/php5/php-5.2.3-i486-1_slack11.0.tgz:
Upgraded to php-5.2.3.
  Here's some basic information about the release from php.net:
    "This release continues to improve the security and the stability of the
    5.X branch as well as addressing two regressions introduced by the
    previous 5.2 releases.  These regressions relate to the timeout handling
    over non-blocking SSL connections and the lack of HTTP_RAW_POST_DATA in
    certain conditions.  All users are encouraged to upgrade to this release."
  For more complete information, see:
    http://www.php.net/releases/5_2_3.php
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1900
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2756
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2872
  (* Security fix *)
+--------------------------+


Where to find the new packages:
+-----------------------------+

HINT:  Getting slow download speeds from ftp.slackware.com?
Give slackware.osuosl.org a try.  This is another primary FTP site
for Slackware that can be considerably faster than downloading
from ftp.slackware.com.

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating additional FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 10.2:
ftp://ftp.slackware.com/pub/slackware/slackware-10.2/testing/packages/php5/php-5.2.3-i486-1_slack10.2.tgz

Updated package for Slackware 11.0:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/extra/php5/php-5.2.3-i486-1_slack11.0.tgz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-5.2.3-i486-1.tgz


MD5 signatures:
+-------------+

Slackware 10.2 package:
9f399433ff6cf9c6627476e298cc4e39  php-5.2.3-i486-1_slack10.2.tgz

Slackware 11.0 package:
8ee13bfe55814bed9898ef92c0f25b6c  php-5.2.3-i486-1_slack11.0.tgz

Slackware -current package:
ecdc3dbd5c5766f0ebaa05327d8a2fea  php-5.2.3-i486-1.tgz


Installation instructions:
+------------------------+

First, stop apache:
# apachectl stop

Next, upgrade to the new PHP package:
# upgradepkg php-5.2.3-i486-1_slack11.0.tgz

Finally, restart apache:
# apachectl start  (or: apachectl startssl)


+-----+

Slackware Linux Security Team
http://slackware.com/gpg-key
security@slackware.com

+------------------------------------------------------------------------+
| To leave the slackware-security mailing list:                          |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back containing instructions to    |
| complete the process.  Please do not reply to this email address.      |
+------------------------------------------------------------------------+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGYHxfakRjwEAQIjMRAos2AJ9PLzRsgFtU6v8sAx03y2L9aPGIVgCfcsXm
GglnRzWyN1/FMUqy/LdJyNU=
=o4tu
-----END PGP SIGNATURE-----

Slackware™ is a trademark of Patrick Volkerding.