From security-announce@turbolinux.co.jp Mon Aug 25 14:54:44 2003 From: Turbolinux Resent-From: security-announce@turbolinux.co.jp To: security-announce@turbolinux.co.jp Resent-To: server-users-e@turbolinux.co.jp (moderated) Date: Mon, 25 Aug 2003 16:23:27 +0900 Reply-To: server-users-e@turbolinux.co.jp Subject: [Full-Disclosure] [TURBOLINUX SECURITY INFO] 25/Aug/2003 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is an announcement only email list for the x86 architecture. ============================================================ Turbolinux Security Announcement 25/Aug/2003 ============================================================ The following page contains the security information of Turbolinux Inc. - Turbolinux Security Center http://www.turbolinux.com/security/ (1) php -> Cross-site scripting vulnerability =========================================================== * php -> Cross-site scripting vulnerability =========================================================== More information : PHP is an HTML-embedded scripting language. The cross-site scripting vulnerability is in the transparent SID support capability for PHP. Impact : An attacker could use this vulnerability to execute embedded scripts within the context of the generated page. Affected Products : - Turbolinux 8 Server - Turbolinux 8 Workstation - Turbolinux 7 Server - Turbolinux 7 Workstation Solution : Please either use turbopkg tool to apply the update or turn off the session.use_trans_sid in php.ini. (session.use_trans_sid is disabled by default.) Source Packages Size : MD5 php-4.2.3-10.src.rpm 3586620 5709a5dbd9500950b7e00e3396a9d330 Binary Packages Size : MD5 php-4.2.3-10.i586.rpm 1630251 bcc1e022d5e6df866e577f656365584d php-gd-4.2.3-10.i586.rpm 30516 7edac00a593a1d38aaa03d4dedd4d6fe php-imap-4.2.3-10.i586.rpm 8486 2254538bd3830eb670dadad838d7065b php-ldap-4.2.3-10.i586.rpm 23911 b19524bd75404fa30476ccc7602fa72d php-manual-4.2.3-10.i586.rpm 340817 5b8cfe4a048cd613016d1b0671888633 php-ming-4.2.3-10.i586.rpm 32512 34e9946c1d7ee60635de23a45f04a23b php-mysql-4.2.3-10.i586.rpm 90113 ff1138d5943a3b0d0e6476fba66c9605 php-pgsql-4.2.3-10.i586.rpm 34736 264b22c0d343661efc47fbd1999fea3c Source Packages Size : MD5 php-4.2.3-10.src.rpm 3586620 c0243a3f31b1e411f519d0f3075ddce7 Binary Packages Size : MD5 php-4.2.3-10.i586.rpm 1629986 c08e4fa8a0ee72eadb443494f759c3d2 php-gd-4.2.3-10.i586.rpm 30538 f0dded8c660e80224299bead30f2edeb php-imap-4.2.3-10.i586.rpm 8531 8819a72730c5b35160368af26ae8e083 php-ldap-4.2.3-10.i586.rpm 23999 314f1bf0b3930b8215e23033378f7b46 php-manual-4.2.3-10.i586.rpm 341064 c54b1703ac92f0b894c775cf4caac5df php-ming-4.2.3-10.i586.rpm 32535 3d05088f3916b3a9e8cea5264f5e7829 php-mysql-4.2.3-10.i586.rpm 90146 6dad78932d7ffa3971c43b4a9bccac52 php-pgsql-4.2.3-10.i586.rpm 34833 961df7f936cf1e191631bd48307e5780 Source Packages Size : MD5 imap-2002b-4.src.rpm 2117128 f90185e41d75eaa6f56325eebba34f83 php-4.2.3-11.src.rpm 3586763 9250f561ae9d5f2d363f7069f1a0635d Binary Packages Size : MD5 imap-2002b-4.i586.rpm 2067054 82395589206258d098f85a12bdbb6ca3 imap-devel-2002b-4.i586.rpm 1023302 c30850e69c0e6cdac1ea779b5401d384 php-4.2.3-11.i586.rpm 1600800 280bef7d19f933002168628bc3041938 php-imap-4.2.3-11.i586.rpm 8620 4cd8e4dfc6395bc9ee145128facb80ad php-ldap-4.2.3-11.i586.rpm 23625 9b0319c9bf621ae7be7f01a84cbaee7b php-manual-4.2.3-11.i586.rpm 341126 991a8d482608c841a4dc259396f707ce php-mysql-4.2.3-11.i586.rpm 85995 5b8bf0ee975c5dcc5c7f2c02e78a0795 php-pgsql-4.2.3-11.i586.rpm 34758 5eb7dd57f04d4c13b6a3c80b4617a59e Source Packages Size : MD5 imap-2002b-4.src.rpm 2117128 253865af1df8c2b91697455a9f646243 php-4.2.3-11.src.rpm 3586763 ba5a6c5237152e6a21b8096b46f04054 Binary Packages Size : MD5 imap-2002b-4.i586.rpm 2066624 60aa6bc98ac6f0aeeb7a9690b1c1dace imap-devel-2002b-4.i586.rpm 1022989 75b0316c0f6faff8f35681155cbe98ed php-4.2.3-11.i586.rpm 1600565 fb8037622f515e4f62570457c487faf4 php-imap-4.2.3-11.i586.rpm 8619 9125b56721e2800c6cc290f33de92ed4 php-ldap-4.2.3-11.i586.rpm 23628 02176d12bdd8280622fc23838ea4f27a php-manual-4.2.3-11.i586.rpm 341119 5ef9fc51a2b65da5065c83105f85ffd1 php-mysql-4.2.3-11.i586.rpm 85991 064a183a93233e0b322bb86137464059 php-pgsql-4.2.3-11.i586.rpm 34360 7e68f67c907eb6ee5a7381024961bdad session.use_trans_sid is disabled [/etc/httpd/php.ini] ------------------------------ session.use_trans_sid = 0 ------------------------------ References : CVE [CAN-2003-0442] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0442 -------------------------------------------------------------------------- Revision History 12 Aug 2003 Initial release 13 Aug 2003 Typo [CAN-2003-0422] -> [CAN-2003-0442] 25 Aug 2003 Affected Products added Turbolinux 7 Server Turbolinux 7 Workstation -------------------------------------------------------------------------- * You may need to update the turbopkg tool before applying the update. Please refer to the following URL for detailed information. http://www.turbolinux.com/download/zabom.html http://www.turbolinux.com/download/zabomupdate.html Package Update Path http://www.turbolinux.com/update ============================================================ * To obtain the public key Here is the public key http://www.turbolinux.com/security/ * To unsubscribe from the list If you ever want to remove yourself from this mailing list, you can send a message to with the word `unsubscribe' in the body (don't include the quotes). unsubscribe * To change your email address If you ever want to chage email address in this mailing list, you can send a message to with the following command in the message body: chaddr 'old address' 'new address' If you have any questions or problems, please contact Thank you! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/SblzK0LzjOqIJMwRAjRUAJ9j0Ncad7Rf0q6MukqWi6st3Fxv4ACguxTw nAlHSyo4Iu4r5l0wf8soY3o= =Rn/p -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html