[php-maint] php5 testing transition
Ondřej Surý
ondrej at debian.org
Tue May 8 10:30:07 UTC 2012
On Mon, May 7, 2012 at 10:02 AM, Thijs Kinkhorst <thijs at debian.org> wrote:
> On Sun, May 6, 2012 10:00, Thijs Kinkhorst wrote:
>> On Sat, May 5, 2012 20:49, Adam D. Barratt wrote:
>>> On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote:
>>>> > For some reason I had it in my head that 5.4.2 was the upstream
>>>> version
>>>> > with the fixed fix rather than the not-quite fixed fix.
>>>>
>>>> I think this is the case (e.g. 5.4.2 is the fixed version).
>>>
>>> I assume Thijs was referring to CVE-2012-2311, which covers the fix in
>>> 5.4.2 being incomplete.
>>
>> PHP 5.4.2 does not fix the issue.
>
> PHP upstream has now announced new releases for tomorrow, which also fix
> another security issue:
> http://www.php.net/archive/2012.php#id2012-05-06-1
>
> It would be great if we could get that into unstable swiftly and then
> start the migration process.
I am building security update for squeeze right now and will release
5.4.3 for unstable
when it's released (there's some apache handler vulnerability from 5.4.1).
php5 (5.3.3-7+squeeze9) squeeze-security; urgency=high
* Add more return value checks for CVE-2011-4153 (pulled from OpenSUSE)
* CVE-2012-1172: Fix insufficient validation of upload name leading
to corrupted $_FILES indices
* CVE-2012-1823,CVE-2012-2311: Fix PHP-CGI query string parameter
vulnerability
$ diffstat php5_5.3.3-7+squeeze9.debdiff
debian/patches/CVE-2011-4153-2.patch | 61 +++++++++++++++++++++++++
debian/patches/CVE-2012-1172.patch | 84 +++++++++++++++++++++++++++++++++++
debian/patches/CVE-2012-1823.patch | 38 +++++++++++++++
debian/patches/CVE-2012-2311.patch | 29 ++++++++++++
php5-5.3.3/debian/changelog | 10 ++++
php5-5.3.3/debian/patches/series | 4 +
6 files changed, 226 insertions(+)
(I'll send diff.gz and dsc to team at security.d.o in next email.)
O.
--
Ondřej Surý <ondrej at sury.org>
More information about the pkg-php-maint
mailing list