Debian Security Advisory

php3 -- possible remote exploit

Date Reported:
14 Oct 2000
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2000-0967.
More information:
In versions of the PHP 3 packages before version 3.0.17, several format string bugs could allow properly crafted requests to execute code as the user running PHP scripts on the web server, particularly if error logging was enabled.

This problem is fixed in versions 3.0.17-0potato2 and 3.0.17-0potato3 for Debian 2.2 (potato) and in version 3.0.17-1 for Debian Unstable (woody). This is a bug fix release and we recommend all users of php3 upgrade to it.

Debian GNU/Linux 2.1 (slink) contains php3 version 3.0.5, which is believed to be affected by this problem. No security updates for slink are available at this time; Slink users who have php3 installed are highly recommended to either upgrade to potato or recompile the potato php3 packages from source (see the URLs below).

Fixed in:

Debian GNU/Linux 2.2 (potato)

Architecture-independent component:
Intel IA-32:
Motorola 680x0:
Sun Sparc: