[php-maint] Bug#347894: marked as done (php5: Two security problems
in PHP5)
Debian Bug Tracking System
owner at bugs.debian.org
Wed Jan 18 07:33:12 UTC 2006
Your message dated Tue, 17 Jan 2006 23:17:12 -0800
with message-id <E1Ez7ZA-000585-Pc at spohr.debian.org>
and subject line Bug#347894: fixed in php5 5.1.2-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jan 2006 11:21:02 +0000
>From jmm at inutil.org Fri Jan 13 03:21:02 2006
Return-path: <jmm at inutil.org>
Received: from inutil.org ([193.22.164.111] helo=vserver151.vserver151.serverflex.de)
by spohr.debian.org with esmtp (Exim 4.50)
id 1ExMzO-0000Aw-3X
for submit at bugs.debian.org; Fri, 13 Jan 2006 03:21:02 -0800
Received: from wlan-client-058.informatik.uni-bremen.de ([134.102.116.59] helo=localhost.localdomain)
by vserver151.vserver151.serverflex.de with esmtpsa (TLS-1.0:RSA_AES_256_CBC_SHA:32)
(Exim 4.50)
id 1ExMzK-0001Wf-9D
for submit at bugs.debian.org; Fri, 13 Jan 2006 12:20:58 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.60)
(envelope-from <jmm at inutil.org>)
id 1ExMyZ-0001Zg-Na; Fri, 13 Jan 2006 12:20:11 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <jmm at inutil.org>
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: php5: Two security problems in PHP5
Message-ID: <20060113112011.5761.34321.reportbug at localhost.localdomain>
X-Mailer: reportbug 3.18
Date: Fri, 13 Jan 2006 12:20:11 +0100
X-Debbugs-Cc: Debian Security Team <team at security.debian.org>
X-SA-Exim-Connect-IP: 134.102.116.59
X-SA-Exim-Mail-From: jmm at inutil.org
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond expanded to false
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: php5
Severity: grave
Tags: security
Justification: user security hole
Two security problems have been found in PHP5. For details please see
http://www.hardened-php.net/advisory_012006.112.html
http://www.hardened-php.net/advisory_022006.113.html
PHP 4 is not affected, so this only affects testing and sid.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
---------------------------------------
Received: (at 347894-close) by bugs.debian.org; 18 Jan 2006 07:20:42 +0000
>From katie at ftp-master.debian.org Tue Jan 17 23:20:42 2006
Return-path: <katie at ftp-master.debian.org>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1Ez7ZA-000585-Pc; Tue, 17 Jan 2006 23:17:12 -0800
From: Adam Conrad <adconrad at 0c3.net>
To: 347894-close at bugs.debian.org
X-Katie: $Revision: 1.65 $
Subject: Bug#347894: fixed in php5 5.1.2-1
Message-Id: <E1Ez7ZA-000585-Pc at spohr.debian.org>
Sender: Archive Administrator <katie at ftp-master.debian.org>
Date: Tue, 17 Jan 2006 23:17:12 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: php5
Source-Version: 5.1.2-1
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:
libapache-mod-php5_5.1.2-1_i386.deb
to pool/main/p/php5/libapache-mod-php5_5.1.2-1_i386.deb
libapache2-mod-php5_5.1.2-1_i386.deb
to pool/main/p/php5/libapache2-mod-php5_5.1.2-1_i386.deb
php-pear_5.1.2-1_all.deb
to pool/main/p/php5/php-pear_5.1.2-1_all.deb
php5-cgi_5.1.2-1_i386.deb
to pool/main/p/php5/php5-cgi_5.1.2-1_i386.deb
php5-cli_5.1.2-1_i386.deb
to pool/main/p/php5/php5-cli_5.1.2-1_i386.deb
php5-common_5.1.2-1_i386.deb
to pool/main/p/php5/php5-common_5.1.2-1_i386.deb
php5-curl_5.1.2-1_i386.deb
to pool/main/p/php5/php5-curl_5.1.2-1_i386.deb
php5-dev_5.1.2-1_i386.deb
to pool/main/p/php5/php5-dev_5.1.2-1_i386.deb
php5-gd_5.1.2-1_i386.deb
to pool/main/p/php5/php5-gd_5.1.2-1_i386.deb
php5-ldap_5.1.2-1_i386.deb
to pool/main/p/php5/php5-ldap_5.1.2-1_i386.deb
php5-mhash_5.1.2-1_i386.deb
to pool/main/p/php5/php5-mhash_5.1.2-1_i386.deb
php5-mysql_5.1.2-1_i386.deb
to pool/main/p/php5/php5-mysql_5.1.2-1_i386.deb
php5-odbc_5.1.2-1_i386.deb
to pool/main/p/php5/php5-odbc_5.1.2-1_i386.deb
php5-pgsql_5.1.2-1_i386.deb
to pool/main/p/php5/php5-pgsql_5.1.2-1_i386.deb
php5-recode_5.1.2-1_i386.deb
to pool/main/p/php5/php5-recode_5.1.2-1_i386.deb
php5-snmp_5.1.2-1_i386.deb
to pool/main/p/php5/php5-snmp_5.1.2-1_i386.deb
php5-sqlite_5.1.2-1_i386.deb
to pool/main/p/php5/php5-sqlite_5.1.2-1_i386.deb
php5-sybase_5.1.2-1_i386.deb
to pool/main/p/php5/php5-sybase_5.1.2-1_i386.deb
php5-xmlrpc_5.1.2-1_i386.deb
to pool/main/p/php5/php5-xmlrpc_5.1.2-1_i386.deb
php5-xsl_5.1.2-1_i386.deb
to pool/main/p/php5/php5-xsl_5.1.2-1_i386.deb
php5_5.1.2-1.diff.gz
to pool/main/p/php5/php5_5.1.2-1.diff.gz
php5_5.1.2-1.dsc
to pool/main/p/php5/php5_5.1.2-1.dsc
php5_5.1.2-1_all.deb
to pool/main/p/php5/php5_5.1.2-1_all.deb
php5_5.1.2.orig.tar.gz
to pool/main/p/php5/php5_5.1.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 347894 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad at 0c3.net> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 16 Jan 2006 16:12:31 +1100
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mysql php5-common php5-snmp php5-dev php5-sqlite libapache-mod-php5
Architecture: source i386 all
Version: 5.1.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint at lists.alioth.debian.org>
Changed-By: Adam Conrad <adconrad at 0c3.net>
Description:
libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 module)
libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2.0 module)
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (meta-package)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dev - Files for PHP5 module development
php5-gd - GD module for php5
php5-ldap - LDAP module for php5
php5-mhash - MHASH module for php5
php5-mysql - MySQL module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 346479 346501 346550 347894
Changes:
php5 (5.1.2-1) unstable; urgency=low
.
* New upstream bugfix and security update release (closes: #347894)
- Fixes multiple cross-site-scripting vulnerabilities; CVE-2006-0208
- Resolves multiple HTTP response splitting vulnerabilities, allowing
arbitrary header injection via Set-Cookie headers; see CVE-2006-0207
- While we don't currently build it, this release also fixes a format
string vulnerability in the mysqli extension; see CVE-2006-0200
- Includes a new version of the PEAR installer that seems to have a
slightly better clue about the difference between INSTALL_ROOT and
PHP_PEAR_INSTALL_DIR, fixing pear.conf (closes: #346479, #346501)
* While the above is partially true, the PEAR installer is still a bit
broken (it won't install correctly under fakeroot anymore, YAY), so
shuffle debian/rules to have a build-pear-stamp target, as a stopgap.
* Add 106-strptime_xopen.patch, moving the _XOPEN_SOURCE definition down
in ext/standard/datetime.c, below the php.h include (closes: #346550)
* Add 107-reflection_is_ext.patch, munging ext/reflection/config.m4 to
properly call the PHP_ARG_ENABLE macro for an extension, not built-in.
* Stop php-pear from Replacing and Conflicting with php-html-template-it,
as we only now ship the bare essential to make the pear installer go.
Files:
3621a044d82dc672ae54653a4fe7c75f 1778 web optional php5_5.1.2-1.dsc
b5b6564e8c6a0d5bc1d2b4787480d792 8064193 web optional php5_5.1.2.orig.tar.gz
4f9feaaf0c72d9ae2f7497364ea227e6 97057 web optional php5_5.1.2-1.diff.gz
03b3a6a8c06c8bf05fc9796832616602 130434 web optional php5-common_5.1.2-1_i386.deb
243d124b9c54b564210230ad7bdf0060 2339380 web optional libapache-mod-php5_5.1.2-1_i386.deb
047db563ca967986c4096be789d4817a 2340960 web optional libapache2-mod-php5_5.1.2-1_i386.deb
dea271367841591494c6bd0c14547cdd 4635746 web optional php5-cgi_5.1.2-1_i386.deb
e6f53a094ea7fa46f49ba142704f4929 2328658 web optional php5-cli_5.1.2-1_i386.deb
5cec13d581c65fc3c832406530675ad5 312520 devel optional php5-dev_5.1.2-1_i386.deb
0a64f56fc0b55439dc60a890536ddfea 23802 web optional php5-curl_5.1.2-1_i386.deb
661ef5eeec364d8176ba687954428dea 34122 web optional php5-gd_5.1.2-1_i386.deb
e92ce6b3cab82150302dccfce2a49a20 20668 web optional php5-ldap_5.1.2-1_i386.deb
ce64ee5db6873056ca23b93e90f6a6f7 8528 web optional php5-mhash_5.1.2-1_i386.deb
20d6bdac41301a9160f00e0be2bc15df 23028 web optional php5-mysql_5.1.2-1_i386.deb
be60c39a1ee98221860fcc979b8421e3 28270 web optional php5-odbc_5.1.2-1_i386.deb
1e69c6dd1a80139fc64bcb3ab981aeac 41894 web optional php5-pgsql_5.1.2-1_i386.deb
c348f22e7809e2c389ad67df99dbec33 8192 web optional php5-recode_5.1.2-1_i386.deb
de7a836d1dfeaa73ea7cae0b964a9665 14626 web optional php5-snmp_5.1.2-1_i386.deb
6e8cb69882b53b19d22dfb2395fd80a4 26956 web optional php5-sqlite_5.1.2-1_i386.deb
489e2ca4bb90146884c5f8c926cf5492 21392 web optional php5-sybase_5.1.2-1_i386.deb
47b18c6bef42a836d5a081ee0f2842b4 39628 web optional php5-xmlrpc_5.1.2-1_i386.deb
3b7f2f0671cd27d9e3b1fadf1044258f 15606 web optional php5-xsl_5.1.2-1_i386.deb
18f59d15b1cb6d6d5e586436dc864571 1036 web optional php5_5.1.2-1_all.deb
fa3a3d105b652f5541a3419be7336a99 301962 web optional php-pear_5.1.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDzeZBvjztR8bOoMkRAkjAAKC8Ty2T/KHPKM6kVdvCgrVMwe+vQACgrbrx
XF4IU09C1On7TZ/KZ5lWp8g=
=qgX6
-----END PGP SIGNATURE-----
More information about the pkg-php-maint
mailing list