[php-maint] Bug#752366: Bug#752366: php5: Memory leak in FTPS functions results in denial of service

Ondřej Surý ondrej at sury.org
Mon Jul 21 09:57:04 UTC 2014


Control: tags -1 + pending

Yes, see:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754275

O.

On Mon, Jul 21, 2014, at 06:12, Ryan C. Underwood wrote:
> 
> Hi,
> 
> A new php5-5.4.4-14+deb7u12 was released without this fix.  Would the
> fix be included in the next stable/updates version then?
> 
> Ryan
> 
> On Mon, Jun 23, 2014 at 10:12:55AM +0200, Ondřej Surý wrote:
> > Hi Ryan,
> > 
> > thanks for reporting the issue. We have an update queue in
> > stable-proposed-updates
> > right now with a bunch of upstream fixes that needs to be processed
> > first, so we don't
> > pile updates over updates.
> > 
> > But I will merge fix for your issue into next s-p-u update, ok?
> > 
> > Thanks,
> > Ondrej
> > 
> > On Mon, Jun 23, 2014, at 04:56, Ryan Underwood wrote:
> > > Package: php5
> > > Version: 5.4.4-14+deb7u11
> > > Severity: important
> > > 
> > > php5 stable version has a gaping memory leak in SSL handling which was
> > > fixed
> > > upstream.
> > > 
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=0863a0d6a0f740874b4ef8dc732a4ec94949470c
> > > 
> > > Without this patch, a process which makes repeated FTP-SSL connections
> > > will
> > > eventually consume all resources of the server, not limited by PHP's own
> > > memory_limit.
> > > 
> > > -- System Information:
> > > Debian Release: 7.5
> > >   APT prefers stable-updates
> > >   APT policy: (500, 'stable-updates'), (500, 'stable')
> > > Architecture: i386 (i686)
> > > 
> > > Kernel: Linux 3.14-0.bpo.1-686-pae (SMP w/1 CPU core)
> > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > > Shell: /bin/sh linked to /bin/bash
> > > 
> > > Versions of packages php5 depends on:
> > > ii  libapache2-mod-php5  5.4.4-14+deb7u11
> > > ii  php5-common          5.4.4-14+deb7u11
> > > 
> > > php5 recommends no packages.
> > > 
> > > php5 suggests no packages.
> > > 
> > > -- no debconf information
> > > 
> > > _______________________________________________
> > > pkg-php-maint mailing list
> > > pkg-php-maint at lists.alioth.debian.org
> > > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> > 
> > 
> > -- 
> > Ondřej Surý <ondrej at sury.org>
> > Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
> > 
> 
> -- 
> Ryan C. Underwood, <nemesis at icequake.net>
> Email had 1 attachment:
> + signature.asc
>   1k (application/pgp-signature)


-- 
Ondřej Surý <ondrej at sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server



More information about the pkg-php-maint mailing list