[server-admins] Fwd: RHN Errata Alert: Critical: php security update

DM Smith dmsmith at crosswire.org
Tue May 8 12:25:45 MST 2012 

On 05/08/2012 01:58 PM, Troy A. Griffitts wrote:
> That's what I'm talking about.  It makes me feel all warm and fuzzy 
> inside.
>
> Can I simply remove PHP or did we add this as a needed dependency from 
> the wiki or other?

The wiki uses PHP.

>
> Troy
>
>
>
>
> -------- Original Message --------
> Subject: RHN Errata Alert: Critical: php security update
> Date: Tue, 8 May 2012 13:40:37 -0400
> From: Red Hat Network Alert <dev-null at rhn.redhat.com>
> To: scribe <junkmail at crosswire.org>
>
> Red Hat Network has determined that the following advisory is 
> applicable to
> one or more of the systems you have registered:
>
> Complete information about this errata can be found at the following 
> location:
>      https://rhn.redhat.com/rhn/errata/details/Details.do?eid=15316
>
> Security Advisory - RHSA-2012:0546-1
> ------------------------------------------------------------------------------ 
>
> Summary:
> Critical: php security update
>
> Updated php packages that fix one security issue are now available for
> Red Hat Enterprise Linux 5 and 6.
>
> The Red Hat Security Response Team has rated this update as having 
> critical
> security impact. A Common Vulnerability Scoring System (CVSS) base score,
> which gives a detailed severity rating, is available from the CVE link in
> the References section.
>
>
> Description:
> PHP is an HTML-embedded scripting language commonly used with the Apache
> HTTP Server.
>
> A flaw was found in the way the php-cgi executable processed command line
> arguments when running in CGI mode. A remote attacker could send a
> specially-crafted request to a PHP script that would result in the query
> string being parsed by php-cgi as command line options and arguments. 
> This
> could lead to the disclosure of the script's source code or arbitrary 
> code
> execution with the privileges of the PHP interpreter. (CVE-2012-1823)
>
> Red Hat is aware that a public exploit for this issue is available that
> allows remote code execution in affected PHP CGI configurations. This 
> flaw
> does not affect the default configuration in Red Hat Enterprise Linux 
> 5 and
> 6 using the PHP module for Apache httpd to handle PHP scripts.
>
> All php users should upgrade to these updated packages, which contain a
> backported patch to resolve this issue. After installing the updated
> packages, the httpd daemon must be restarted for the update to take 
> effect.
>
>
> References:
> https://access.redhat.com/security/updates/classification/#critical
> ------------------------------------------------------------------------------ 
>
>
> -------------
> Taking Action
> -------------
> You may address the issues outlined in this advisory in two ways:
>
>      - select your server name by clicking on its name from the list
>        available at the following location, and then schedule an
>        errata update for it:
>            https://rhn.redhat.com/rhn/systems/SystemList.do
>
>      - run the Update Agent on each affected server.
>
>
> ---------------------------------
> Changing Notification Preferences
> ---------------------------------
> To enable/disable your Errata Alert preferences globally please log in 
> to RHN
> and navigate from "Your RHN" / "Your Account" to the "Preferences" tab.
>
>         URL: https://rhn.redhat.com/rhn/account/UserPreferences.do
>
> You can also enable/disable notification on a per system basis by 
> selecting an
> individual system from the "Systems List". From the individual system 
> view
> click the "Details" tab.
>
>
> ---------------------
> Affected Systems List
> ---------------------
> This Errata Advisory may apply to the systems listed below. If you 
> know that
> this errata does not apply to a system listed, it might be possible 
> that the
> package profile for that server is out of date. In that case you 
> should refresh
> the system's package profile by running *one* of the following 
> commands as root
> on that system:
>
>  * 'up2date -p' (on Enterprise Linux systems prior to RHEL5)
>  * 'rhn-profile-sync' (on Enterprise Linux 5 or later)
>
> There is 1 affected system registered in 'Your RHN' (only systems for
> which you have explicitly enabled Errata Alerts are shown).
>
> Release   Arch       Profile Name
> --------  --------   ------------
> 6Server   x86_64     www.crosswire.org
>
>
> The Red Hat Network Team
>
> This message is being sent by Red Hat Network Alert to:
>     RHN user login:        scribe
>     Email address on file: <junkmail at crosswire.org>
>
> If you lost your RHN password, you can use the information above to
> retrieve it by email from the following address:
>     https://www.redhat.com/wapps/sso/lostPassword.html
>
> To cancel these notices, go to:
>     https://rhn.redhat.com/rhn/account/UserPreferences.do
>
>
>
>
> _______________________________________________
> server-admins mailing list
> server-admins at crosswire.org
> http://www.crosswire.org/mailman/listinfo/server-admins

More information about the server-admins mailing list