[php-maint] Bug#316447: marked as done (remote code execution in
PEAR::XML_RPC)
Debian Bug Tracking System
owner at bugs.debian.org
Mon Aug 29 15:48:17 UTC 2005
Your message dated Mon, 29 Aug 2005 08:32:20 -0700
with message-id <E1E9lcS-0003Pr-00 at spohr.debian.org>
and subject line Bug#316447: fixed in php4 4:4.3.10-16
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 30 Jun 2005 23:10:46 +0000
>From martin at mein-horde.de Thu Jun 30 16:10:46 2005
Return-path: <martin at mein-horde.de>
Received: from ipx-190-250-190-80.ipxserver.de (mein-horde.de) [80.190.250.190]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Do8BC-0003iz-00; Thu, 30 Jun 2005 16:10:46 -0700
Received: from localhost (localhost [127.0.0.1])
by mein-horde.de (Postfix) with ESMTP id 250382EC016
for <submit at bugs.debian.org>; Fri, 1 Jul 2005 01:10:44 +0200 (CEST)
Received: from mein-horde.de ([127.0.0.1])
by localhost (ipx10645 [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 22031-01 for <submit at bugs.debian.org>;
Fri, 1 Jul 2005 01:10:43 +0200 (CEST)
Received: from [192.168.150.10] (port-212-202-174-167.dynamic.qsc.de [212.202.174.167])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
by mein-horde.de (Postfix) with ESMTP id 4B2AC2EC008
for <submit at bugs.debian.org>; Fri, 1 Jul 2005 01:10:43 +0200 (CEST)
Message-ID: <42C47BF0.2030101 at mein-horde.de>
Date: Fri, 01 Jul 2005 01:10:41 +0200
From: Martin Lohmeier <martin at mein-horde.de>
User-Agent: Debian Thunderbird 1.0.2 (X11/20050331)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: submit at bugs.debian.org
Subject: remote code execution in PEAR::XML_RPC
X-Enigmail-Version: 0.91.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at mein-horde.de
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.4 required=4.0 tests=BAYES_00,HAS_PACKAGE,
UPPERCASE_25_50 autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Package: php4-pear
Version: 4.3.10-15
Tags: Security
Hi,
there is a problem with PEAR::XML_RPC, please have a look at
http://www.hardened-php.net/advisory-022005.php ,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1921 and
http://www.mandriva.com/security/advisories?name=MDKSA-2005:109
by, Martin
- --
Powered by Debian GNU / Linux
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCxHvwOvJj+wS6JuIRAl4SAKCYw7axZzje0ybXrLUGVCr+zxznkQCgyoyX
NIjMZUymsUQOw4cbM/NJjQs=
=Sb2Y
-----END PGP SIGNATURE-----
---------------------------------------
Received: (at 316447-close) by bugs.debian.org; 29 Aug 2005 15:43:44 +0000
>From katie at spohr.debian.org Mon Aug 29 08:43:44 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1E9lcS-0003Pr-00; Mon, 29 Aug 2005 08:32:20 -0700
From: Steve Langasek <vorlon at debian.org>
To: 316447-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#316447: fixed in php4 4:4.3.10-16
Message-Id: <E1E9lcS-0003Pr-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Mon, 29 Aug 2005 08:32:20 -0700
Delivered-To: 316447-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2
Source: php4
Source-Version: 4:4.3.10-16
We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:
libapache-mod-php4_4.3.10-16_i386.deb
to pool/main/p/php4/libapache-mod-php4_4.3.10-16_i386.deb
libapache2-mod-php4_4.3.10-16_i386.deb
to pool/main/p/php4/libapache2-mod-php4_4.3.10-16_i386.deb
php4-cgi_4.3.10-16_i386.deb
to pool/main/p/php4/php4-cgi_4.3.10-16_i386.deb
php4-cli_4.3.10-16_i386.deb
to pool/main/p/php4/php4-cli_4.3.10-16_i386.deb
php4-common_4.3.10-16_i386.deb
to pool/main/p/php4/php4-common_4.3.10-16_i386.deb
php4-curl_4.3.10-16_i386.deb
to pool/main/p/php4/php4-curl_4.3.10-16_i386.deb
php4-dev_4.3.10-16_i386.deb
to pool/main/p/php4/php4-dev_4.3.10-16_i386.deb
php4-domxml_4.3.10-16_i386.deb
to pool/main/p/php4/php4-domxml_4.3.10-16_i386.deb
php4-gd_4.3.10-16_i386.deb
to pool/main/p/php4/php4-gd_4.3.10-16_i386.deb
php4-imap_4.3.10-16_i386.deb
to pool/main/p/php4/php4-imap_4.3.10-16_i386.deb
php4-ldap_4.3.10-16_i386.deb
to pool/main/p/php4/php4-ldap_4.3.10-16_i386.deb
php4-mcal_4.3.10-16_i386.deb
to pool/main/p/php4/php4-mcal_4.3.10-16_i386.deb
php4-mhash_4.3.10-16_i386.deb
to pool/main/p/php4/php4-mhash_4.3.10-16_i386.deb
php4-mysql_4.3.10-16_i386.deb
to pool/main/p/php4/php4-mysql_4.3.10-16_i386.deb
php4-odbc_4.3.10-16_i386.deb
to pool/main/p/php4/php4-odbc_4.3.10-16_i386.deb
php4-pear_4.3.10-16_all.deb
to pool/main/p/php4/php4-pear_4.3.10-16_all.deb
php4-recode_4.3.10-16_i386.deb
to pool/main/p/php4/php4-recode_4.3.10-16_i386.deb
php4-snmp_4.3.10-16_i386.deb
to pool/main/p/php4/php4-snmp_4.3.10-16_i386.deb
php4-sybase_4.3.10-16_i386.deb
to pool/main/p/php4/php4-sybase_4.3.10-16_i386.deb
php4-xslt_4.3.10-16_i386.deb
to pool/main/p/php4/php4-xslt_4.3.10-16_i386.deb
php4_4.3.10-16.diff.gz
to pool/main/p/php4/php4_4.3.10-16.diff.gz
php4_4.3.10-16.dsc
to pool/main/p/php4/php4_4.3.10-16.dsc
php4_4.3.10-16_all.deb
to pool/main/p/php4/php4_4.3.10-16_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 316447 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <vorlon at debian.org> (supplier of updated php4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 24 Aug 2005 19:05:10 -0700
Source: php4
Binary: php4-cgi php4-sybase php4-recode libapache-mod-php4 php4-cli php4-dev libapache2-mod-php4 php4-snmp php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-imap php4-common php4-curl php4 php4-pear php4-mcal php4-mhash
Architecture: source i386 all
Version: 4:4.3.10-16
Distribution: stable-security
Urgency: high
Maintainer: Adam Conrad <adconrad at 0c3.net>
Changed-By: Steve Langasek <vorlon at debian.org>
Description:
libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
php4 - server-side, HTML-embedded scripting language (meta-package)
php4-cgi - server-side, HTML-embedded scripting language (CGI binary)
php4-cli - command-line interpreter for the php4 scripting language
php4-common - Common files for packages built from the php4 source
php4-curl - CURL module for php4
php4-dev - Files for PHP4 module development
php4-domxml - XMLv2 module for php4
php4-gd - GD module for php4
php4-imap - IMAP module for php4
php4-ldap - LDAP module for php4
php4-mcal - MCAL calendar module for php4
php4-mhash - MHASH module for php4
php4-mysql - MySQL module for php4
php4-odbc - ODBC module for php4
php4-pear - PEAR - PHP Extension and Application Repository
php4-recode - Character recoding module for php4
php4-snmp - SNMP module for php4
php4-sybase - Sybase / MS SQL Server module for php4
php4-xslt - XSLT module for php4
Closes: 316447 323366
Changes:
php4 (4:4.3.10-16) stable-security; urgency=high
.
Adam Conrad <adconrad at 0c3.net>:
* Patch php4-dev's bundled shtool to use a temporary directory to resolve
insecure temp file handling, reported in CAN-2005-1751 and CAN-2005-1759.
* Patch PEAR after it has been installed in debian/php4-pear to resolve
the XML-RPC vulnerability reported in CAN-2005-1921 (closes: #316447)
* Backport changes by sesser at php.net and danielc at php.net to resolve another
remote XML_RPC exploit, as reported in CAN-2005-2498 (closes: #323366)
Files:
e57b3e8e7f45104fbb11c833a57a53be 1686 web optional php4_4.3.10-16.dsc
8a49871b1a36b26bb37c89115496aa23 278625 web optional php4_4.3.10-16.diff.gz
74768ab0a62b20706266fc601c41b9df 167674 web optional php4-common_4.3.10-16_i386.deb
38cc33f1a4c6a70af7f6749cdf9694f6 1614254 web optional libapache-mod-php4_4.3.10-16_i386.deb
bda5e3087f3fa5a30aa7c61b0b959491 17904 web optional php4-curl_4.3.10-16_i386.deb
6831728b5a0e67dd31df5194f3c8abcd 37242 web optional php4-domxml_4.3.10-16_i386.deb
ab88aac36edc614390080e28979379e2 32396 web optional php4-gd_4.3.10-16_i386.deb
53a185bcfe7a7fbb12549cfe2d866155 37378 web optional php4-imap_4.3.10-16_i386.deb
cac07baa0ff4938c92b7ecd71085f820 19962 web optional php4-ldap_4.3.10-16_i386.deb
bc8db965206e8cdc77a4127407d2af4c 17680 web optional php4-mcal_4.3.10-16_i386.deb
68bf5a9ef56c0e7ce315a1c58d2d081c 8046 web optional php4-mhash_4.3.10-16_i386.deb
17f84133fa9b36f5d64bfd05dd620998 21224 web optional php4-mysql_4.3.10-16_i386.deb
3570b7f701d50ed2476c89addb1d73d6 27152 web optional php4-odbc_4.3.10-16_i386.deb
e5dc6dd166607f3e9bd94321ecb6c51e 7712 web optional php4-recode_4.3.10-16_i386.deb
998bae510bf391d8b94a3619df9e66dc 16402 web optional php4-xslt_4.3.10-16_i386.deb
feeddae27dbfce70d62058e6cbe5476b 13156 web optional php4-snmp_4.3.10-16_i386.deb
7251c8bf34e8021e701190812f535676 21384 web optional php4-sybase_4.3.10-16_i386.deb
d651476ab8d3b5f6019e221fde718aba 3208880 web optional php4-cgi_4.3.10-16_i386.deb
782899c50e02e31683263367bab3d27f 1609418 web optional php4-cli_4.3.10-16_i386.deb
cc9fa332fb4a3bcf50e18fe7dfc30ce5 325322 devel optional php4-dev_4.3.10-16_i386.deb
4a4aaabcccc850497c66ebacac23e627 1611958 web optional libapache2-mod-php4_4.3.10-16_i386.deb
a280716fde4fd6d05dddeaff37a49d54 1148 web optional php4_4.3.10-16_all.deb
0bca8d85163399f864cf13a1ac3f2884 250902 web optional php4-pear_4.3.10-16_all.deb
73f5d1f42e34efa534a09c6091b5a21e 4892209 web optional php4_4.3.10.orig.tar.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDDrizW5ql+IAeqTIRAjr4AJ0V5HkRaUQficdgExAVLO4/Hn7nzACeN7Ar
wA6AIBsQ4AdAZu+o93aE4lE=
=IYc4
-----END PGP SIGNATURE-----
More information about the pkg-php-maint
mailing list