[server-admins] Fwd: RHN Errata Alert: Critical: php security update

Troy A. Griffitts scribe at crosswire.org
Tue May 8 10:58:24 MST 2012 

That's what I'm talking about.  It makes me feel all warm and fuzzy inside.

Can I simply remove PHP or did we add this as a needed dependency from 
the wiki or other?

Troy




-------- Original Message --------
Subject: RHN Errata Alert: Critical: php security update
Date: Tue, 8 May 2012 13:40:37 -0400
From: Red Hat Network Alert <dev-null at rhn.redhat.com>
To: scribe <junkmail at crosswire.org>

Red Hat Network has determined that the following advisory is applicable to
one or more of the systems you have registered:

Complete information about this errata can be found at the following 
location:
      https://rhn.redhat.com/rhn/errata/details/Details.do?eid=15316

Security Advisory - RHSA-2012:0546-1
------------------------------------------------------------------------------
Summary:
Critical: php security update

Updated php packages that fix one security issue are now available for
Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.


Description:
PHP is an HTML-embedded scripting language commonly used with the Apache
HTTP Server.

A flaw was found in the way the php-cgi executable processed command line
arguments when running in CGI mode. A remote attacker could send a
specially-crafted request to a PHP script that would result in the query
string being parsed by php-cgi as command line options and arguments. This
could lead to the disclosure of the script's source code or arbitrary code
execution with the privileges of the PHP interpreter. (CVE-2012-1823)

Red Hat is aware that a public exploit for this issue is available that
allows remote code execution in affected PHP CGI configurations. This flaw
does not affect the default configuration in Red Hat Enterprise Linux 5 and
6 using the PHP module for Apache httpd to handle PHP scripts.

All php users should upgrade to these updated packages, which contain a
backported patch to resolve this issue. After installing the updated
packages, the httpd daemon must be restarted for the update to take effect.


References:
https://access.redhat.com/security/updates/classification/#critical
------------------------------------------------------------------------------

-------------
Taking Action
-------------
You may address the issues outlined in this advisory in two ways:

      - select your server name by clicking on its name from the list
        available at the following location, and then schedule an
        errata update for it:
            https://rhn.redhat.com/rhn/systems/SystemList.do

      - run the Update Agent on each affected server.


---------------------------------
Changing Notification Preferences
---------------------------------
To enable/disable your Errata Alert preferences globally please log in 
to RHN
and navigate from "Your RHN" / "Your Account" to the "Preferences" tab.

         URL: https://rhn.redhat.com/rhn/account/UserPreferences.do

You can also enable/disable notification on a per system basis by 
selecting an
individual system from the "Systems List". From the individual system view
click the "Details" tab.


---------------------
Affected Systems List
---------------------
This Errata Advisory may apply to the systems listed below. If you know that
this errata does not apply to a system listed, it might be possible that the
package profile for that server is out of date. In that case you should 
refresh
the system's package profile by running *one* of the following commands 
as root
on that system:

  * 'up2date -p' (on Enterprise Linux systems prior to RHEL5)
  * 'rhn-profile-sync' (on Enterprise Linux 5 or later)

There is 1 affected system registered in 'Your RHN' (only systems for
which you have explicitly enabled Errata Alerts are shown).

Release   Arch       Profile Name
--------  --------   ------------
6Server   x86_64     www.crosswire.org


The Red Hat Network Team

This message is being sent by Red Hat Network Alert to:
     RHN user login:        scribe
     Email address on file: <junkmail at crosswire.org>

If you lost your RHN password, you can use the information above to
retrieve it by email from the following address:
     https://www.redhat.com/wapps/sso/lostPassword.html

To cancel these notices, go to:
     https://rhn.redhat.com/rhn/account/UserPreferences.do

More information about the server-admins mailing list