From:	 dburcaw@newhope.terraplex.com
To:	 yellowdog-updates@lists.yellowdoglinux.com
Subject: [yellowdog-updates] Yellow Dog Linux Security Advisory: YDL-20020305-2
Date:	 5 Mar 2002 11:07:23 -0000

Yellow Dog Linux Security Announcement
--------------------------------------

Package:	php	
Issue Date: 	March 05, 2002	
Priority:	high		
Advisory ID: 	YDU-20020305-1


1. 	Topic:

	The php packages have been updated to close
	security flaws recently discovered.


2. 	Problem:

	The version of PHP that shipped with YDL 2.0 and 2.1 contains two
        broken boundary checks.  This could allow an attacker to execute
        arbitrary code on a remote system.

        The Common Vulnerabilities and Exposures project (cve.mitre.org) has
        assigned the name CAN-2002-0081 to this issue.

	All users of PHP are advised to immediately upgrade to these errata
	packages which close these vulnerabilities

	The php update provided also requires the mm package which was
        not shipped with YDL 2.1.  mm is provided below and is necessary
        to install this update.


3. 	Solution:

   	a) Updating via yup...
   	We suggest that you use the Yellow Dog Update Program (yup)
   	to keep your system up-to-date. The following command(s) will
   	automatically retrieve and install the fixed version of
   	this update onto your system:

   		yup update php
                yup update php-devel
                yup update php-imap
                yup update php-ldap
                yup update php-manual
                yup update php-mysql
                yup update php-pgsql 

   	b) Updating manually...
   	The update can also be retrieved manually from our ftp site
   	below along with the rpm command that should be used to install
   	the update.  (Please use a mirror site)

   		ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.1/ppc/
		rpm -Fvh php-4.0.6-9.7.0.ppc.rpm
		rpm -Fvh php-devel-4.0.6-9.7.0.ppc.rpm
                rpm -Fvh php-imap-4.0.6-9.7.0.ppc.rpm
                rpm -Fvh php-ldap-4.0.6-9.7.0.ppc.rpm
                rpm -Fvh php-manual-4.0.6-9.7.0.ppc.rpm
                rpm -Fvh php-mysql-4.0.6-9.7.0.ppc.rpm
                rpm -Fvh php-pgsql-4.0.6-9.7.0.ppc.rpm
		rpm -ivh mm-1.1.3-2.ppc.rpm
		rpm -ivh mm-devel-1.1.3-2.ppc.rpm

4. Verification

MD5 checksum			  Package
--------------------------------  ----------------------------
3edf230d80f7544c9fff6e82a700fb7d  ppc/php-4.0.6-9.7.0.ppc.rpm
dabe0d86e8d6550c0a640d115f2a16d2  ppc/php-devel-4.0.6-9.7.0.ppc.rpm
aff9acd773738cb1bd57b143aafaf0ba  ppc/php-imap-4.0.6-9.7.0.ppc.rpm
36795abba05aaee794f2f50459f5526f  ppc/php-ldap-4.0.6-9.7.0.ppc.rpm
4908c7cb092dd4ac5e9c6a2c879fe076  ppc/php-manual-4.0.6-9.7.0.ppc.rpm
4a805710e67843493b9f77e172118de6  ppc/php-mysql-4.0.6-9.7.0.ppc.rpm
6b3edada1afc1e1dd26692a5f93149b3  ppc/php-pgsql-4.0.6-9.7.0.ppc.rpm
e79b5a8538a4a6e5785f02a094d0c47c  ppc/mm-1.1.3-2.ppc.rpm
e990ef608686c6cfb36ca830a5566319  ppc/mm-devel-1.1.3-2.ppc.rpm
b933af9678d592f7a6981bb3d797cc81  SRPMS/php-4.0.6-9.7.0.src.rpm
4a20830e63c895dcbf429d31c99f116a  SRPMS/mm-1.1.3-2.src.rpm

If you wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename


5. Misc.

Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.yellowdoglinux.com/ for more
information.

For information regarding the usage of yup, the Yellow Dog Update Program, see 
http://http://www.yellowdoglinux.com/support/solutions/ydl_general/yup.shtml