[php-maint] Bug#479723: Bug#479723: php 5.2.6 Security Fixes

[Thijs Kinkhorst]

Hi Moritz,

On Tuesday 6 May 2008 12:16, Moritz Naumann wrote:
> http://www.php.net/ChangeLog-5.php lists several security fixes which are
> included in upstream PHP 5.2.6:

Thanks for your help in matching the changelog issues to CVE names, I've put 
your suggestions into the tracker.

>     * Fixed a safe_mode bypass in cURL identified by Maksymilian
> Arciemowicz. (Ilia)
>       --> CVE-2007-4850 (acc. to
> http://securityreason.com/achievement_securityalert/51)
>       --> already tracked at
> http://security-tracker.debian.net/tracker/CVE-2007-4850
>       --> missing source package reference at
> http://security-tracker.debian.net/tracker/source-package/php5

It is not really missing, we track the issue but it's marked as a non-issue 
(we treat safe mode bypasses as non-issues) and thus not shown in that 
overview.

>     * Upgraded PCRE to version 7.6 (Nuno)
>       --> CVE-2008-0674 (best match, no reference found)
>       --> not tracked yet
>       --> possibly missing reference at
> http://security-tracker.debian.net/tracker/CVE-2008-0674
>           (but should really be tracked seperately)
>       --> local code execution through buffer overflow

The php5 package in Debian uses the system copy of PCRE, so this isn't an open 
issue. I've updated the tracker to add this information to that CVE.


cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20080506/2fa12aba/attachment.pgp