Stilgar
2nd July 2003, 18:50
Complete information about this errata can be found at the following location:
https://rhn.redhat.com/network/errata/errata_details.pxt?eid=1777
Security Advisory - RHSA-2003:204-11
------------------------------------------------------------------------------
Summary:
Updated PHP packages are now available
Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a
number of bugs, as well as a minor security problem in the transparent
session ID functionality.
Description:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP server.
This update contains fixes for a number of bugs discovered in the version
of PHP included in Red Hat Linux 8.0 and 9. These bugs include the use of
a PHP script as an ErrorDocument and possible POST body corruption in some
configurations.
Also included is a fix for a minor security problem. In PHP version 4.3.1
and earlier, when transparent session ID support is enabled using the
"session.use_trans_sid" option, the session ID is not escaped before use.
This allows a Cross Site Scripting attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0442 to
this issue.
All users of PHP are advised to upgrade to these erratum packages, which
contain back-ported patches to correct these issues.
References:
http://shh.thathost.com/secadv/2003-05-11-php.txt
https://rhn.redhat.com/network/errata/errata_details.pxt?eid=1777
Security Advisory - RHSA-2003:204-11
------------------------------------------------------------------------------
Summary:
Updated PHP packages are now available
Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a
number of bugs, as well as a minor security problem in the transparent
session ID functionality.
Description:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP server.
This update contains fixes for a number of bugs discovered in the version
of PHP included in Red Hat Linux 8.0 and 9. These bugs include the use of
a PHP script as an ErrorDocument and possible POST body corruption in some
configurations.
Also included is a fix for a minor security problem. In PHP version 4.3.1
and earlier, when transparent session ID support is enabled using the
"session.use_trans_sid" option, the session ID is not escaped before use.
This allows a Cross Site Scripting attack. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0442 to
this issue.
All users of PHP are advised to upgrade to these erratum packages, which
contain back-ported patches to correct these issues.
References:
http://shh.thathost.com/secadv/2003-05-11-php.txt