Updated PHP packages for Red Hat Linux 8.0 and 9 are available that fix a number of bugs, as well as a minor security problem in the transparent session ID functionality.
PHP is an HTML-embedded scripting language commonly used with the Apache HTTP server. This update contains fixes for a number of bugs discovered in the version of PHP included in Red Hat Linux 8.0 and 9. These bugs include the use of a PHP script as an ErrorDocument and possible POST body corruption in some configurations. Also included is a fix for a minor security problem. In PHP version 4.3.1 and earlier, when transparent session ID support is enabled using the "session.use_trans_sid" option, the session ID is not escaped before use. This allows a Cross Site Scripting attack. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0442 to this issue. All users of PHP are advised to upgrade to these erratum packages, which contain back-ported patches to correct these issues.