[php-maint] Bug#523028: Bug#523028: php5: multiple vulnerabilities

sean finney seanius at debian.org
Wed Apr 8 06:21:11 UTC 2009

severity 523028 important
clone 523028 -1
retitle 523028 CVE-2008-5814: XSS vulnerability in PHP <= 5.2.7
retitle -1 CVE-2009-0754: mbstring.func_overload setting leakage across vhosts

hi michael,

in the future please file seperate bugs for seperate vulnerabilities.

i would say neither of these are critical vulnerabilities (though
both should be fixed), so i'm adjusting the severities down to important.

with regards to CVE-2008-5814: i believe we've previously tried to get
information from JVS about the specifics and haven't, so there isn't much
we can do and on principle i'm against tagging bogeyman bugs as grave :)

with regards to CVE-2008-5814, the scope is fairly limited and there's no
code execution/data deletion directly through this (it's just leakage of
mbstring function overloading across vhosts)


On Tue, Apr 07, 2009 at 07:00:41PM -0400, Michael S. Gilbert wrote:
> Package: php5
> Severity: grave
> Tags: security
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for php5.
> CVE-2008-5814[0]:
> | Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
> | earlier, when display_errors is enabled, allows remote attackers to
> | inject arbitrary web script or HTML via unspecified vectors.  NOTE:
> | because of the lack of details, it is unclear whether this is related
> | to CVE-2006-0208.
> CVE-2009-0754[1]:
> | PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows
> | local users to modify behavior of other sites hosted on the same web
> | server by modifying the mbstring.func_overload setting within
> | .htaccess, which causes this setting to be applied to other virtual
> | hosts on the same server.
> Please coordinate with the security team to prepare updated packages
> for the stable releases.
> There is more info in the redhat security alert [2].
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
> For further information see:
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814
>     http://security-tracker.debian.net/tracker/CVE-2008-5814
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754
>     http://security-tracker.debian.net/tracker/CVE-2009-0754
> [2] http://lwn.net/Articles/327524/
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090408/e009659b/attachment.pgp>

More information about the pkg-php-maint mailing list