Bulletin d'alerte Debian

php3 -- Exploitation distante possible

Date du rapport :
14 octobre 2000
Paquets concernés :
php3
Vulnérabilité :
Oui
Références dans la base de données de sécurité :
Dans le dictionnaire CVE du Mitre : CVE-2000-0967.
Plus de précisions :
Dans les versions de PHP 3 antérieures à la version 3.0.17, de nombreux bogues de format de chaînes autorisent la fabrication correcte de requêtes exécutables envoyant du code sur le serveur sous l'autorité de l'utilisateur sous lequel tournent les scripts PHP, tout particulièrement si le journal d'erreurs est activé.

Ce problème est réglé dans les version 3.0.17-0potato2 et 3.0.17-0potato3 de Debian 2.2 (Potato) et dans la version 3.0.17-1 de la Debian instable (Woody). C'est une version corrigée, nous recommandons donc à tous les utilisateur de php3 de la mettre à jour.

Debian GNU/Linux 2.1 (Slink) contient php3 version 3.0.5 qui est censée être affectée par ce problème. Il n'y a pas de mise à jour de sécurité pour Slink pour le moment. Les utilisateurs de Slink qui ont installé php3 sont hautement invités à migrer vers la Potato ou à recompiler les paquets php3 à partir des sources (voir les URL ci-dessous).

Corrigé dans :

Debian GNU/Linux 2.2 (potato)

Source :
http://security.debian.org/dists/potato/updates/main/source/php3_3.0.17-0potato3.diff.gz
http://security.debian.org/dists/potato/updates/main/source/php3_3.0.17-0potato3.dsc
http://security.debian.org/dists/potato/updates/main/source/php3_3.0.17.orig.tar.gz
Composant indépendant de l'architecture :
http://security.debian.org/dists/potato/updates/main/binary-all/php3-doc_3.0.17-0potato3_all.deb
Alpha:
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-gd_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-imap_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-ldap_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-magick_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-mhash_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-mysql_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-pgsql_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-snmp_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi-xml_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-cgi_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-dev_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-gd_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-imap_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-ldap_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-magick_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-mhash_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-mysql_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-pgsql_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-snmp_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3-xml_3.0.17-0potato3_alpha.deb
http://security.debian.org/dists/potato/updates/main/binary-alpha/php3_3.0.17-0potato3_alpha.deb
ARM:
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-gd_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-imap_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-ldap_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-magick_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-mhash_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-mysql_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-pgsql_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-snmp_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi-xml_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-cgi_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-dev_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-gd_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-imap_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-ldap_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-magick_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-mhash_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-mysql_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-pgsql_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-snmp_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3-xml_3.0.17-0potato3_arm.deb
http://security.debian.org/dists/potato/updates/main/binary-arm/php3_3.0.17-0potato3_arm.deb
Intel IA-32:
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-gd_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-imap_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-ldap_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-magick_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-mhash_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-mysql_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-pgsql_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-snmp_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi-xml_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-cgi_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-dev_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-gd_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-imap_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-ldap_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-magick_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-mhash_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-mysql_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-pgsql_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-snmp_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3-xml_3.0.17-0potato2_i386.deb
http://security.debian.org/dists/potato/updates/main/binary-i386/php3_3.0.17-0potato2_i386.deb
Motorola 680x0:
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-gd_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-imap_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-ldap_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-magick_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-mhash_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-mysql_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-pgsql_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-snmp_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi-xml_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-cgi_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-dev_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-gd_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-imap_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-ldap_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-magick_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-mhash_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-mysql_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-pgsql_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-snmp_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3-xml_3.0.17-0potato3_m68k.deb
http://security.debian.org/dists/potato/updates/main/binary-m68k/php3_3.0.17-0potato3_m68k.deb
PowerPC:
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-gd_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-imap_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-ldap_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-magick_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-mhash_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-mysql_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-pgsql_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-snmp_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi-xml_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-cgi_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-dev_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-gd_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-imap_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-ldap_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-magick_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-mhash_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-mysql_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-pgsql_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-snmp_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3-xml_3.0.17-0potato3_powerpc.deb
http://security.debian.org/dists/potato/updates/main/binary-powerpc/php3_3.0.17-0potato3_powerpc.deb
Sun Sparc:
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-gd_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-imap_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-ldap_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-magick_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-mhash_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-mysql_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-pgsql_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-snmp_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi-xml_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-cgi_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-dev_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-gd_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-imap_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-ldap_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-magick_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-mhash_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-mysql_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-pgsql_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-snmp_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3-xml_3.0.17-0potato3_sparc.deb
http://security.debian.org/dists/potato/updates/main/binary-sparc/php3_3.0.17-0potato3_sparc.deb