[php-maint] [Fwd: Re: [SECURITY] [DSA 1789-1] New php5 packages fix several vulnerabilities]
sean finney
seanius at debian.org
Wed May 6 13:02:15 UTC 2009
honestly, i'm not surprised, based on the size of the changes and
the very messy/manual process of picking out related/needed changes
for the etch version.
i can take a look but it will probably be a couple days.
sean
On Wed, May 06, 2009 at 01:51:18PM +0200, Thijs Kinkhorst wrote:
> All,
>
> Seems there was a problem afterall with the zip extension. If anyone is
> able to dive into this, that would be great.
>
>
> Thijs
> Date: Wed, 6 May 2009 10:57:26 +0200
> From: Sébastien Le Ray <s.le_ray at eutech-ssii.com>
> To: debian-security at lists.debian.org
> Subject: Re: [SECURITY] [DSA 1789-1] New php5 packages fix several
> vulnerabilities
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Le Mon, 4 May 2009 22:57:57 +0200 (CEST),
> Thijs Kinkhorst <thijs at debian.org> a écrit :
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > -
> > ------------------------------------------------------------------------
> > Debian Security Advisory DSA-1789-1
> > security at debian.org
> > http://www.debian.org/security/ Thijs
> > Kinkhorst May 04, 2009
> > http://www.debian.org/security/faq
> > -
> > ------------------------------------------------------------------------
> >
> > Package : php5
> > Vulnerability : several
> > Problem type : remote
> > Debian-specific: no
> > CVE Id(s) : CVE-2008-2107 CVE-2008-2108 CVE-2008-5557
> > CVE-2008-5624 CVE-2008-5658 CVE-2008-5814 CVE-2009-0754 CVE-2009-1271
> > Debian Bugs : 507101 507857 508021 511493 523028 523049
> >
> > Several remote vulnerabilities have been discovered in the PHP 5
> > hypertext preprocessor. The Common Vulnerabilities and Exposures
> > project identifies the following problems.
> >
> > The following four vulnerabilities have already been fixed in the
> > stable (lenny) version of php5 prior to the release of lenny. This
> > update now addresses them for etch (oldstable) aswell:
> >
> >
> > CVE-2008-5658
> >
> > Directory traversal vulnerability in the ZipArchive::extractTo
> > function allows attackers to write arbitrary files via a ZIP file
> > with a file whose name contains .. (dot dot) sequences.
> >
>
> Hi,
>
> It seems that there were some side effects. Since the upgrade we've PHP
> crashes with:
> *** glibc detected *** double free or corruption (fasttop): 0x08718200
> ***
>
> The crash occurs inside the extractTo function, please tell me if you
> need any additional information.
>
> Regards
>
> Sébastien
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkoBUPYACgkQd0QYNjAhJByo1ACfXa19m4icUAwVhtUd+/M+Z7J5
> r+QAnRCLhvY1tfcsSqfKiXAW/OAEvXGn
> =ThD4
> -----END PGP SIGNATURE-----
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20090506/9ea5813b/attachment.pgp>
More information about the pkg-php-maint
mailing list