[php-maint] Bug#323366: marked as done (SECURITY: XML::RPC remote code injections (CAN-2005-2498))

Debian Bug Tracking System owner at bugs.debian.org
Sat Dec 17 05:48:45 UTC 2005

Your message dated Fri, 16 Dec 2005 21:36:14 -0800
with message-id <E1EnUju-0000pP-MX at spohr.debian.org>
and subject line Bug#323366: fixed in php4 4:4.3.10-16
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 16 Aug 2005 09:36:24 +0000
>From ch at debian.org Tue Aug 16 02:36:24 2005
Return-path: <ch at debian.org>
Received: from office-gw.westend.com (xeniac.intern) [] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E4xrs-0001vv-00; Tue, 16 Aug 2005 02:36:24 -0700
Received: by xeniac.intern (Postfix, from userid 1000)
	id 0579F370005; Tue, 16 Aug 2005 11:36:22 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Christian Hammers <ch at debian.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: SECURITY: XML::RPC remote code injections (CAN-2005-2498)
X-Mailer: reportbug 3.8
Date: Tue, 16 Aug 2005 11:36:22 +0200
Message-Id: <20050816093622.0579F370005 at xeniac.intern>
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: php4
Version: 4:4.3.10-15
Severity: grave
Tags: security


A security flaw in XML::RPC has become known. From the version numbers
it seems to affect Debian. (I did not check which distributions and packages
exactly though).

More information is available here:

	(not yet)

	Advisory: PEAR XML_RPC Remote PHP Code Injection Vulnerability
	Application: PEAR XML_RPC <= 1.3.3
     	Severity: A malformed XMLRPC request can result in execution
                  of arbitrary injected PHP code
	References: http://www.hardened-php.net/advisory_142005.66.html

	Advisory: PHPXMLRPC Remote PHP Code Injection Vulnerability
	Application: PHPXMLRPC <= 1.1.1
	Severity: A malformed XMLRPC request can result in execution
                  of arbitrary injected PHP code
	References: http://www.hardened-php.net/advisory_152005.67.html



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (9999, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-15) (ignored: LC_ALL set to de_DE at euro)

Versions of packages php4 depends on:
ii  libapache-mod-php4           4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-common                  4:4.3.10-15 Common files for packages built fr

-- debconf information excluded

Received: (at 323366-close) by bugs.debian.org; 17 Dec 2005 05:42:33 +0000
>From katie at ftp-master.debian.org Fri Dec 16 21:42:33 2005
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
	id 1EnUju-0000pP-MX; Fri, 16 Dec 2005 21:36:14 -0800
From: Steve Langasek <vorlon at debian.org>
To: 323366-close at bugs.debian.org
X-Katie: $Revision: 1.17 $
Subject: Bug#323366: fixed in php4 4:4.3.10-16
Message-Id: <E1EnUju-0000pP-MX at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Fri, 16 Dec 2005 21:36:14 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: php4
Source-Version: 4:4.3.10-16

We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:

  to pool/main/p/php4/libapache-mod-php4_4.3.10-16_i386.deb
  to pool/main/p/php4/libapache2-mod-php4_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-cgi_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-cli_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-common_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-curl_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-dev_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-domxml_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-gd_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-imap_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-ldap_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-mcal_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-mhash_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-mysql_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-odbc_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-pear_4.3.10-16_all.deb
  to pool/main/p/php4/php4-recode_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-snmp_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-sybase_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-xslt_4.3.10-16_i386.deb
  to pool/main/p/php4/php4_4.3.10-16.diff.gz
  to pool/main/p/php4/php4_4.3.10-16.dsc
  to pool/main/p/php4/php4_4.3.10-16_all.deb

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 323366 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Steve Langasek <vorlon at debian.org> (supplier of updated php4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)

Hash: SHA1

Format: 1.7
Date: Wed, 24 Aug 2005 19:05:10 -0700
Source: php4
Binary: php4-cgi php4-sybase php4-recode libapache-mod-php4 php4-cli php4-dev libapache2-mod-php4 php4-snmp php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-imap php4-common php4-curl php4 php4-pear php4-mcal php4-mhash
Architecture: source i386 all
Version: 4:4.3.10-16
Distribution: stable-security
Urgency: high
Maintainer: Adam Conrad <adconrad at 0c3.net>
Changed-By: Steve Langasek <vorlon at debian.org>
 libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php4       - server-side, HTML-embedded scripting language (meta-package)
 php4-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php4-cli   - command-line interpreter for the php4 scripting language
 php4-common - Common files for packages built from the php4 source
 php4-curl  - CURL module for php4
 php4-dev   - Files for PHP4 module development
 php4-domxml - XMLv2 module for php4
 php4-gd    - GD module for php4
 php4-imap  - IMAP module for php4
 php4-ldap  - LDAP module for php4
 php4-mcal  - MCAL calendar module for php4
 php4-mhash - MHASH module for php4
 php4-mysql - MySQL module for php4
 php4-odbc  - ODBC module for php4
 php4-pear  - PEAR - PHP Extension and Application Repository
 php4-recode - Character recoding module for php4
 php4-snmp  - SNMP module for php4
 php4-sybase - Sybase / MS SQL Server module for php4
 php4-xslt  - XSLT module for php4
Closes: 316447 323366
 php4 (4:4.3.10-16) stable-security; urgency=high
   Adam Conrad <adconrad at 0c3.net>:
   * Patch php4-dev's bundled shtool to use a temporary directory to resolve
     insecure temp file handling, reported in CAN-2005-1751 and CAN-2005-1759.
   * Patch PEAR after it has been installed in debian/php4-pear to resolve
     the XML-RPC vulnerability reported in CAN-2005-1921 (closes: #316447)
   * Backport changes by sesser at php.net and danielc at php.net to resolve another
     remote XML_RPC exploit, as reported in CAN-2005-2498 (closes: #323366)
 e57b3e8e7f45104fbb11c833a57a53be 1686 web optional php4_4.3.10-16.dsc
 8a49871b1a36b26bb37c89115496aa23 278625 web optional php4_4.3.10-16.diff.gz
 74768ab0a62b20706266fc601c41b9df 167674 web optional php4-common_4.3.10-16_i386.deb
 38cc33f1a4c6a70af7f6749cdf9694f6 1614254 web optional libapache-mod-php4_4.3.10-16_i386.deb
 bda5e3087f3fa5a30aa7c61b0b959491 17904 web optional php4-curl_4.3.10-16_i386.deb
 6831728b5a0e67dd31df5194f3c8abcd 37242 web optional php4-domxml_4.3.10-16_i386.deb
 ab88aac36edc614390080e28979379e2 32396 web optional php4-gd_4.3.10-16_i386.deb
 53a185bcfe7a7fbb12549cfe2d866155 37378 web optional php4-imap_4.3.10-16_i386.deb
 cac07baa0ff4938c92b7ecd71085f820 19962 web optional php4-ldap_4.3.10-16_i386.deb
 bc8db965206e8cdc77a4127407d2af4c 17680 web optional php4-mcal_4.3.10-16_i386.deb
 68bf5a9ef56c0e7ce315a1c58d2d081c 8046 web optional php4-mhash_4.3.10-16_i386.deb
 17f84133fa9b36f5d64bfd05dd620998 21224 web optional php4-mysql_4.3.10-16_i386.deb
 3570b7f701d50ed2476c89addb1d73d6 27152 web optional php4-odbc_4.3.10-16_i386.deb
 e5dc6dd166607f3e9bd94321ecb6c51e 7712 web optional php4-recode_4.3.10-16_i386.deb
 998bae510bf391d8b94a3619df9e66dc 16402 web optional php4-xslt_4.3.10-16_i386.deb
 feeddae27dbfce70d62058e6cbe5476b 13156 web optional php4-snmp_4.3.10-16_i386.deb
 7251c8bf34e8021e701190812f535676 21384 web optional php4-sybase_4.3.10-16_i386.deb
 d651476ab8d3b5f6019e221fde718aba 3208880 web optional php4-cgi_4.3.10-16_i386.deb
 782899c50e02e31683263367bab3d27f 1609418 web optional php4-cli_4.3.10-16_i386.deb
 cc9fa332fb4a3bcf50e18fe7dfc30ce5 325322 devel optional php4-dev_4.3.10-16_i386.deb
 4a4aaabcccc850497c66ebacac23e627 1611958 web optional libapache2-mod-php4_4.3.10-16_i386.deb
 a280716fde4fd6d05dddeaff37a49d54 1148 web optional php4_4.3.10-16_all.deb
 0bca8d85163399f864cf13a1ac3f2884 250902 web optional php4-pear_4.3.10-16_all.deb
 73f5d1f42e34efa534a09c6091b5a21e 4892209 web optional php4_4.3.10.orig.tar.gz

Version: GnuPG v1.4.1 (GNU/Linux)


More information about the pkg-php-maint mailing list