A PHP XMLRPC security update is available for Ubuntu Linux
==========================================================
Ubuntu Security Notice USN-147-1 July 05, 2005
php4, php4-universe vulnerability
CAN-2005-1921
==========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
libapache2-mod-php4
php4-pear
The problem can be corrected by upgrading the affected package to version 4:4.3.8-3ubuntu7.9 (for Ubuntu 4.10), or 4:4.3.10-10ubuntu3.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes.
Details follow:
A remote code execution vulnerability has been discovered in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server's privileges.
In Ubuntu 5.04 (Hoary Hedgehog), the PEAR extension is unsupported (it is contained in the php4-universe package which is part of universe). However, since this is a highly critical vulnerability, that package was fixed as well.
Please note that many applications contain a copy of the affected XMLRPC code, which must be fixed separately. The following packages may also be affected, but are unsupported in Ubuntu:
- drupal
- wordpress
- phpwiki
- horde3
- ewiki
- egroupware
- phpgroupware
These packages might be fixed by the community later.
The following common third party applications are affected as well, but not packaged for Ubuntu:
- Serendipity
- Postnuke
- tikiwiki
- phpwebsite
If you run any affected software, please upgrade them as soon as possible to
protect your server.
Updated packages for Ubuntu 4.10 (Warty Warthog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.9.diff.gz
Size/MD5: 616004 aba83c3005406218f315dd4e10fdc93c
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.9.dsc
Size/MD5: 1624 5f13453ccdc07ef678393948887d1fb5
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8.orig.tar.gz
Size/MD5: 4832570 dd69f8c89281f088eadf4ade3dbd39ee
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.8-3ubuntu7.9_all.deb
Size/MD5: 332280 b4620c776b0b7a0c01e07785276bcc74
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-pear_4.3.8-3ubuntu7.9_all.deb
Size/MD5: 333464 37e8baf6cfecda800559359076a98c07
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 1689172 ca905ba66abc007c6e2c1f2522f5f867
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 3198276 0b746adc73c7f024307595d751d1046a
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 17278 1d8408cd9a09f8f84bdae47b73049255
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 40436 ce1f94a062c11e6a04f5d63b3ccafce1
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 33496 31cbb8a956114af8f70eb2d501534bab
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 21232 4a9ba4b1ac4ce2d5c2c3c3f2d7311506
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 18410 8b519ef4c7952bbaf470bed187d53bc2
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 8000 a8449358e45b69dba6a7a75d2d5699e2
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 23112 fc767c3fe309f0294428521b1933c2b4
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 28326 57c9957a11dab6d52888f82f8f80be46
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 7624 19d130845dc8b370e13870c6eabd5720
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 12984 b468564f7250de1d749a8e057eb01462
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 21512 7605bfe517943cafa076db8551ad1e99
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 17254 79257012aa4b000fe9fa82cfe985ed43
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 1705048 8dfe9363fb64f2f4a70758958ca31ca4
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 1631046 aef628ebbe8c897192f7267eb1b808cc
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 3044388 ab4e7c5e83103c0d2827578552335187
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 16846 b230772ca3c791ed8c8e64cce99f0772
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 35560 c7a9dd11f0ad13391a344ce4b6ec8911
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 31072 84478ec67c20782309a42b815d88f569
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 19478 f3708205eec173f7ae3fe933d663cac3
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 17056 c094f672d7d58fc4eb612c8edebb3f95
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 7744 9a2e465e18275fb4e73db17da4881479
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 20904 0f277ef545109d5d7652eb67aa3325f6
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 26072 3b1ffa2d29510b6f9bee35593a52f515
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 7378 f4ee9b9a7a87d678d5078ac1744eb938
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 12320 29a8a019226abf3179b0e9d37de562ab
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 20010 7dcd47e759aa3284414428560be8b028
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 15876 97afbfac4a0cf0f5d65bca298d192947
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 1645632 d2d832b255a76a171a3c0e92358f6621
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 1690950 93573b05ce973a986622355a61b62bc1
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 3203746 1e6bb821114d2a9759ace2ccd228b045
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 19082 1149a05fe9335225786afa7039c9c1fd
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 38284 b45719d38cd9e41a358da86e12a3358f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 34006 c0cac2a45d7da077d3948a34e1c3bd33
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 21474 c383448d08c39bbf468f090877a8dbb0
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 19304 7d23e82a5c991f40641814cec3fa023f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 9320 a4469b0c5c68c837ea196c44fe186af0
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 22678 71501b4952953e215c736c68f32c0678
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 28406 5718a5a9f91cce77c7be1b089c10dca7
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 9008 10f220191ff32538b4a0f1b6871e835f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 14328 ca81b4fd4df4f67a6e1511fb4a4c66c7
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 22192 1e3c119de37fef26225631959df16a21
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 18060 9293dd511f251c830753ffbc3e74247e
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 1708946 ee126506d0023696b488d463d59923b4
Updated universe packages for Ubuntu 5.04 (Hoary Hedgehog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe_4.3.10-10ubuntu3.1.diff.gz
Size/MD5: 269682 c95d409b39acfd20354ab6bad8b34aea
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe_4.3.10-10ubuntu3.1.dsc
Size/MD5: 1669 7d76d8e0b2aab57aca1e18f61d1f6ce1
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe_4.3.10.orig.tar.gz
Size/MD5: 4892209 73f5d1f42e34efa534a09c6091b5a21e
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-pear_4.3.10-10ubuntu3.1_all.deb
Size/MD5: 249512 dd075880e8c84a3f6ca86d27a87f079e
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/libapache-mod-php4_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 1659024 1ce063ab45dc418a22431f84d695e4b0
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-curl_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 17808 4da475770cbd42f1c071d41c494188b8
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-domxml_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 40782 278f335641e96382fd2939ed9fbcc6a7
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-gd_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 34264 4da35e109647012fcfde24f49552bcd0
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-imap_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 37628 7beb533d0875713c5f32e929300873aa
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-ldap_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 21386 95c19c2109a87323e2db9f7b6b2b963c
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mcal_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 18864 ed029458bb75d930f5eded7bdebf42c8
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mhash_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 8230 255b3a2437187a623951cc247125c204
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mysql_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 23522 27069dc0b9e18e0f00028cdecd9e5052
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-odbc_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 28760 cc1112d462d62b87bdfc12a6e699b76b
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-recode_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 7892 01c7bc557d520fc62e707b6057c35cdf
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-snmp_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 13656 dcd0b09085a96fd2fd1ae282a1fe1183
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-sybase_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 22428 acd62a8fabe4f825e8bbcd71dd0c4d58
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe-common_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 124338 ffe18168230bd360df7ce16669a2bfc3
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-xslt_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 17554 fa7e07ceebf5386055df1f91c62b859f
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/libapache-mod-php4_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 1592446 707e21f8e3cb343d953d10038e6c97b6
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-curl_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 17364 61a15c5e34802afa5fc2f4328bacbfde
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-domxml_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 35924 48080f5998fd89cb63f012f4e5030a77
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-gd_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 31610 82d4dc9766c1cd2e8669b6872dc41443
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-imap_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 36212 246f5877d7381d158ee68da6084ed52e
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-ldap_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 19614 b913361fdafec3dd8db84553f799e0c7
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mcal_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 17400 450607a9e057c297705d453dd5d55a8f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mhash_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 7982 fc89feabb82a9d888a265a00e4f6664e
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mysql_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 21246 93f63d10d78ffbd76eaff7218b9b7d6c
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-odbc_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 26386 0a25c1544d59224390b6f27a2eecdad8
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-recode_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 7628 2ab8973f0df75b9aade1ac38b5e16602
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-snmp_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 12950 49a5b6f4bb7cf93305d24af4a3637946
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-sybase_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 20814 2658a05663d67a91fc216e9a3bd8d02b
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe-common_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 124336 50b2a7fb1f550bffb48b95b422f898b9
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-xslt_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 16128 593ffa1f9ad80c737a92aeb40ecd3fc7
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/libapache-mod-php4_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 1659224 69742857d6663d339cedebb407d067b1
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-curl_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 19622 ae98a7fa9dddb9aed8904ee0dc22548f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-domxml_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 38644 36110e98b5082ef8f061fa1b372e9db3
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-gd_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 34508 a51a2814ec40e7a7975e8b067359c4c4
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-imap_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 37690 5fc59fca49e04d9a80a1037761264baf
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-ldap_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 21388 323d9d15c74b23bacb9f03396fd19f00
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mcal_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 19716 5fe02ca3292206337b92b2055bd83c1f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mhash_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 9562 d35a225e1e6e62896ea143cbbd0ee47e
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mysql_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 23018 ca861573b6f71711b6be19f33281b579
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-odbc_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 28660 e1b4401b903b3c6d4b820efa311157d4
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-recode_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 9266 b4a3aa306f992f8d1bf40d7a9c26af06
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-snmp_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 14950 d4d41593b653b89b460ce913fc404742
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-sybase_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 23038 6501ba86450496dc6005d12de9eb8fb9
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe-common_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 124350 134a58a05ba4939e32e00d6abe6db286
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-xslt_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 18256 01c05bf4a68f681bd340f213bb14744a
==========================================================
Ubuntu Security Notice USN-147-1 July 05, 2005
php4, php4-universe vulnerability
CAN-2005-1921
==========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
libapache2-mod-php4
php4-pear
The problem can be corrected by upgrading the affected package to version 4:4.3.8-3ubuntu7.9 (for Ubuntu 4.10), or 4:4.3.10-10ubuntu3.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes.
Details follow:
A remote code execution vulnerability has been discovered in the XMLRPC module of the PEAR (PHP Extension and Application Repository) extension of PHP. By sending specially crafted XMLRPC requests to an affected web server, a remote attacker could exploit this to execute arbitrary code with the web server's privileges.
In Ubuntu 5.04 (Hoary Hedgehog), the PEAR extension is unsupported (it is contained in the php4-universe package which is part of universe). However, since this is a highly critical vulnerability, that package was fixed as well.
Please note that many applications contain a copy of the affected XMLRPC code, which must be fixed separately. The following packages may also be affected, but are unsupported in Ubuntu:
- drupal
- wordpress
- phpwiki
- horde3
- ewiki
- egroupware
- phpgroupware
These packages might be fixed by the community later.
The following common third party applications are affected as well, but not packaged for Ubuntu:
- Serendipity
- Postnuke
- tikiwiki
- phpwebsite
If you run any affected software, please upgrade them as soon as possible to
protect your server.
Updated packages for Ubuntu 4.10 (Warty Warthog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.9.diff.gz
Size/MD5: 616004 aba83c3005406218f315dd4e10fdc93c
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.9.dsc
Size/MD5: 1624 5f13453ccdc07ef678393948887d1fb5
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8.orig.tar.gz
Size/MD5: 4832570 dd69f8c89281f088eadf4ade3dbd39ee
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.8-3ubuntu7.9_all.deb
Size/MD5: 332280 b4620c776b0b7a0c01e07785276bcc74
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-pear_4.3.8-3ubuntu7.9_all.deb
Size/MD5: 333464 37e8baf6cfecda800559359076a98c07
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 1689172 ca905ba66abc007c6e2c1f2522f5f867
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 3198276 0b746adc73c7f024307595d751d1046a
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 17278 1d8408cd9a09f8f84bdae47b73049255
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 40436 ce1f94a062c11e6a04f5d63b3ccafce1
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 33496 31cbb8a956114af8f70eb2d501534bab
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 21232 4a9ba4b1ac4ce2d5c2c3c3f2d7311506
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 18410 8b519ef4c7952bbaf470bed187d53bc2
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 8000 a8449358e45b69dba6a7a75d2d5699e2
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 23112 fc767c3fe309f0294428521b1933c2b4
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 28326 57c9957a11dab6d52888f82f8f80be46
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 7624 19d130845dc8b370e13870c6eabd5720
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 12984 b468564f7250de1d749a8e057eb01462
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 21512 7605bfe517943cafa076db8551ad1e99
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 17254 79257012aa4b000fe9fa82cfe985ed43
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.9_amd64.deb
Size/MD5: 1705048 8dfe9363fb64f2f4a70758958ca31ca4
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 1631046 aef628ebbe8c897192f7267eb1b808cc
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 3044388 ab4e7c5e83103c0d2827578552335187
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 16846 b230772ca3c791ed8c8e64cce99f0772
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 35560 c7a9dd11f0ad13391a344ce4b6ec8911
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 31072 84478ec67c20782309a42b815d88f569
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 19478 f3708205eec173f7ae3fe933d663cac3
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 17056 c094f672d7d58fc4eb612c8edebb3f95
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 7744 9a2e465e18275fb4e73db17da4881479
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 20904 0f277ef545109d5d7652eb67aa3325f6
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 26072 3b1ffa2d29510b6f9bee35593a52f515
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 7378 f4ee9b9a7a87d678d5078ac1744eb938
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 12320 29a8a019226abf3179b0e9d37de562ab
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 20010 7dcd47e759aa3284414428560be8b028
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 15876 97afbfac4a0cf0f5d65bca298d192947
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.9_i386.deb
Size/MD5: 1645632 d2d832b255a76a171a3c0e92358f6621
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 1690950 93573b05ce973a986622355a61b62bc1
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 3203746 1e6bb821114d2a9759ace2ccd228b045
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 19082 1149a05fe9335225786afa7039c9c1fd
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 38284 b45719d38cd9e41a358da86e12a3358f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 34006 c0cac2a45d7da077d3948a34e1c3bd33
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 21474 c383448d08c39bbf468f090877a8dbb0
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 19304 7d23e82a5c991f40641814cec3fa023f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 9320 a4469b0c5c68c837ea196c44fe186af0
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 22678 71501b4952953e215c736c68f32c0678
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 28406 5718a5a9f91cce77c7be1b089c10dca7
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 9008 10f220191ff32538b4a0f1b6871e835f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 14328 ca81b4fd4df4f67a6e1511fb4a4c66c7
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 22192 1e3c119de37fef26225631959df16a21
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 18060 9293dd511f251c830753ffbc3e74247e
http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.9_powerpc.deb
Size/MD5: 1708946 ee126506d0023696b488d463d59923b4
Updated universe packages for Ubuntu 5.04 (Hoary Hedgehog):
Source archives:
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe_4.3.10-10ubuntu3.1.diff.gz
Size/MD5: 269682 c95d409b39acfd20354ab6bad8b34aea
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe_4.3.10-10ubuntu3.1.dsc
Size/MD5: 1669 7d76d8e0b2aab57aca1e18f61d1f6ce1
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe_4.3.10.orig.tar.gz
Size/MD5: 4892209 73f5d1f42e34efa534a09c6091b5a21e
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-pear_4.3.10-10ubuntu3.1_all.deb
Size/MD5: 249512 dd075880e8c84a3f6ca86d27a87f079e
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/libapache-mod-php4_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 1659024 1ce063ab45dc418a22431f84d695e4b0
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-curl_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 17808 4da475770cbd42f1c071d41c494188b8
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-domxml_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 40782 278f335641e96382fd2939ed9fbcc6a7
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-gd_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 34264 4da35e109647012fcfde24f49552bcd0
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-imap_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 37628 7beb533d0875713c5f32e929300873aa
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-ldap_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 21386 95c19c2109a87323e2db9f7b6b2b963c
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mcal_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 18864 ed029458bb75d930f5eded7bdebf42c8
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mhash_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 8230 255b3a2437187a623951cc247125c204
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mysql_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 23522 27069dc0b9e18e0f00028cdecd9e5052
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-odbc_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 28760 cc1112d462d62b87bdfc12a6e699b76b
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-recode_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 7892 01c7bc557d520fc62e707b6057c35cdf
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-snmp_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 13656 dcd0b09085a96fd2fd1ae282a1fe1183
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-sybase_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 22428 acd62a8fabe4f825e8bbcd71dd0c4d58
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe-common_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 124338 ffe18168230bd360df7ce16669a2bfc3
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-xslt_4.3.10-10ubuntu3.1_amd64.deb
Size/MD5: 17554 fa7e07ceebf5386055df1f91c62b859f
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/libapache-mod-php4_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 1592446 707e21f8e3cb343d953d10038e6c97b6
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-curl_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 17364 61a15c5e34802afa5fc2f4328bacbfde
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-domxml_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 35924 48080f5998fd89cb63f012f4e5030a77
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-gd_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 31610 82d4dc9766c1cd2e8669b6872dc41443
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-imap_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 36212 246f5877d7381d158ee68da6084ed52e
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-ldap_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 19614 b913361fdafec3dd8db84553f799e0c7
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mcal_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 17400 450607a9e057c297705d453dd5d55a8f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mhash_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 7982 fc89feabb82a9d888a265a00e4f6664e
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mysql_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 21246 93f63d10d78ffbd76eaff7218b9b7d6c
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-odbc_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 26386 0a25c1544d59224390b6f27a2eecdad8
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-recode_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 7628 2ab8973f0df75b9aade1ac38b5e16602
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-snmp_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 12950 49a5b6f4bb7cf93305d24af4a3637946
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-sybase_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 20814 2658a05663d67a91fc216e9a3bd8d02b
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe-common_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 124336 50b2a7fb1f550bffb48b95b422f898b9
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-xslt_4.3.10-10ubuntu3.1_i386.deb
Size/MD5: 16128 593ffa1f9ad80c737a92aeb40ecd3fc7
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/libapache-mod-php4_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 1659224 69742857d6663d339cedebb407d067b1
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-curl_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 19622 ae98a7fa9dddb9aed8904ee0dc22548f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-domxml_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 38644 36110e98b5082ef8f061fa1b372e9db3
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-gd_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 34508 a51a2814ec40e7a7975e8b067359c4c4
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-imap_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 37690 5fc59fca49e04d9a80a1037761264baf
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-ldap_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 21388 323d9d15c74b23bacb9f03396fd19f00
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mcal_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 19716 5fe02ca3292206337b92b2055bd83c1f
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mhash_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 9562 d35a225e1e6e62896ea143cbbd0ee47e
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-mysql_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 23018 ca861573b6f71711b6be19f33281b579
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-odbc_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 28660 e1b4401b903b3c6d4b820efa311157d4
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-recode_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 9266 b4a3aa306f992f8d1bf40d7a9c26af06
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-snmp_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 14950 d4d41593b653b89b460ce913fc404742
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-sybase_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 23038 6501ba86450496dc6005d12de9eb8fb9
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-universe-common_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 124350 134a58a05ba4939e32e00d6abe6db286
http://security.ubuntu.com/ubuntu/pool/universe/p/php4-universe/php4-xslt_4.3.10-10ubuntu3.1_powerpc.deb
Size/MD5: 18256 01c05bf4a68f681bd340f213bb14744a