Ubuntu Security Notice USN-66-2
17th February, 2005
php4 vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 4.10
Details
Ubuntu Security Notice USN-66-1 described a circumvention of the
"open_basedir" restriction by using the cURL module. Adam Conrad
discovered that the fix from USN-66-1 still allowed to bypass this
restriction with certain variants of path specifications.
In addition this update fixes the crash of the PHP interpreter if
curl_init() was called without parameters.
For reference, this is the relevant part of the original advisory:
FraMe from kernelpanik.org reported that the cURL module does not
respect open_basedir restrictions. As a result, scripts which used
cURL to open files with an user-specified path could read arbitrary
local files outside of the open_basedir directory.
Update instructions
The problem can be corrected by updating your system to the following package version:
- Ubuntu 4.10:
- libapache2-mod-php4
- php4-cgi
- php4-curl
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
None