Debian Bug report logs -
#813849
Multiple security issues
Reported by: David Prévot <taffit@debian.org>
Date: Fri, 5 Feb 2016 23:12:02 UTC
Severity: serious
Tags: security, upstream
Found in version php-dompdf/0.6.1+dfsg-2
Fixed in versions php-dompdf/0.6.2+dfsg-1, php-dompdf/0.6.1+dfsg-2+deb8u1
Done: Markus Frosch <lazyfrosch@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#813849; Package php-dompdf.
(Fri, 05 Feb 2016 23:12:05 GMT) (full text, mbox, link).
Acknowledgement sent
to David Prévot <taffit@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Fri, 05 Feb 2016 23:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: php-dompdf
Version: 0.6.1+dfsg-2
Severity: serious
Tags: security upstream
Hi,
I’ve just noticed that php-dompdf upstream released “a security-focused
release that addresses a number of vulnerabilities that can expose your
system to exploitation.”
[CVE-2014-5011], [CVE-2014-5012] and [CVE-2014-5013] have been assigned
to these issues, but I don’t have much input about them.
I believe we should simply remove this leaf package from Jessie (along
with php-font-lib that is only used by php-dompdf). I’ll follow up with
an RM request if the security team agrees with that option.
This bug will soon force the auto-removal of this package from testing,
and unless someone steps up to adopt it (#748604), we may also remove it
from unstable.
Regards
David
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#813849; Package php-dompdf.
(Fri, 26 Feb 2016 08:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Fri, 26 Feb 2016 08:09:04 GMT) (full text, mbox, link).
Message #10 received at 813849@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi David,
On Fri, Feb 05, 2016 at 07:08:45PM -0400, David Pr??vot wrote:
> I???ve just noticed that php-dompdf upstream released ???a security-focused
> release that addresses a number of vulnerabilities that can expose your
> system to exploitation.???
> [CVE-2014-5011], [CVE-2014-5012] and [CVE-2014-5013] have been assigned
> to these issues, but I don???t have much input about them.
>
> I believe we should simply remove this leaf package from Jessie (along
> with php-font-lib that is only used by php-dompdf). I???ll follow up with
> an RM request if the security team agrees with that option.
Given there was no concern reaised about that I think you can go ahead
with the request for removal on the next Jessie point release.
Thanks for your work,
Salvatore
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>:
Bug#813849; Package php-dompdf.
(Sat, 27 Feb 2016 15:03:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Frosch <lazyfrosch@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>.
(Sat, 27 Feb 2016 15:03:06 GMT) (full text, mbox, link).
Message #15 received at 813849@bugs.debian.org (full text, mbox, reply):
Hey guys,
I'm planning to ITA php-dompdf and just had a look on the relevant diff for that package.
Will put it on review for stable release managers asap.
Until then, please wait with efforts to RM the package, I'm using it for packages in the Icinga environment, especially icingaweb2.
Cheers
Markus Frosch
--
markus@lazyfrosch.de / lazyfrosch@debian.org
http://www.lazyfrosch.de
Reply sent
to Markus Frosch <lazyfrosch@debian.org>:
You have taken responsibility.
(Sun, 28 Feb 2016 17:27:10 GMT) (full text, mbox, link).
Notification sent
to David Prévot <taffit@debian.org>:
Bug acknowledged by developer.
(Sun, 28 Feb 2016 17:27:10 GMT) (full text, mbox, link).
Message #20 received at 813849-close@bugs.debian.org (full text, mbox, reply):
Source: php-dompdf
Source-Version: 0.6.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
php-dompdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 813849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Frosch <lazyfrosch@debian.org> (supplier of updated php-dompdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 28 Feb 2016 18:09:26 +0100
Source: php-dompdf
Binary: php-dompdf
Architecture: source all
Version: 0.6.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Markus Frosch <lazyfrosch@debian.org>
Description:
php-dompdf - HTML to PDF converter
Closes: 748604 813849
Changes:
php-dompdf (0.6.2+dfsg-1) unstable; urgency=medium
.
[ David Prévot ]
* [dd91f93] Revert "Add ownCloud for Debian to uploaders"
* [315a84c] Drop now useless minimal version for php-font-lib
* [a470548] Fix watch file
.
[ Markus Frosch ]
* [9bd8627] Update watch to exclude beta releases and mark them dfsg
* [d1a2d1a] Adopt package within the PHP team (Closes: #748604)
* [9f53a9a] Imported Upstream version 0.6.2+dfsg, which fixes:
* CVE-2014-5013
* CVE-2014-5012
* CVE-2014-5011
* CVE-2014-2383
(Closes: #813849)
* [a4b6496] Update copyright to not mention DFSG removed files
* [9fdc430] Bump standards version to 3.9.7
Checksums-Sha1:
abc6d7618ccf15aa0c8c5934f65718f77baee50d 1679 php-dompdf_0.6.2+dfsg-1.dsc
33623ceed60e85b17e50527c9b61d0415314e53f 1118551 php-dompdf_0.6.2+dfsg.orig.tar.gz
865318e19ad664db164d841b5845e58ccaf63904 15312 php-dompdf_0.6.2+dfsg-1.debian.tar.xz
c3c1e76041778aadcd0a26b6726dc5335e32d497 926572 php-dompdf_0.6.2+dfsg-1_all.deb
Checksums-Sha256:
42f95ad32b932534b1dee4c1dfb921ae8052f390f51028e911fb2fe10def16b9 1679 php-dompdf_0.6.2+dfsg-1.dsc
e41a3ed39a5bff6177546b44de22330725f038eb72888792a78e2418cded8cb2 1118551 php-dompdf_0.6.2+dfsg.orig.tar.gz
6994becf5705f2043285314b15fc914447441555490c3f7d4759c8097487ef25 15312 php-dompdf_0.6.2+dfsg-1.debian.tar.xz
3a8034209959a23a70bc2898dbb36cb98ad07035acf6a96ea890692ae8d618c3 926572 php-dompdf_0.6.2+dfsg-1_all.deb
Files:
73e91c381db6717bea08a7646eb7551e 1679 php optional php-dompdf_0.6.2+dfsg-1.dsc
dc5dc812c9c5ab16a6940a7401c4a941 1118551 php optional php-dompdf_0.6.2+dfsg.orig.tar.gz
ffb81c1fda4879b6b28cfd57d0e1117d 15312 php optional php-dompdf_0.6.2+dfsg-1.debian.tar.xz
9c0f1b3f98a264ac19d74962e33de5c9 926572 php optional php-dompdf_0.6.2+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJW0yq4AAoJEPJhXZqrmHtuJi0H/20zTntF6nPNNKHV7DOWtPm6
GgUAeHUgYlxRw3t1DPGiMWInoquX72o9eVHwwMYT6nPqqNDntX/jCbjfi2IqqjpQ
Y8ifMkkrDOfOD8MOD9cc/SC/1JVpQOCwhknJy49QxVsmbfh6gba3tpAelY9OG9Xl
qqwpg7W3EwNHOe+4fxBHYtedf1NCAnybXx0lt5rE58KRnYAT8AGbXYKwWc64Z9bM
Ktu3Hp6cDrI/JafCTm4n2DIhzCyaTAOUkx8OMG7Nxu0wJ22H3gVaPwACuhhxQTai
YFfIYZ1cA0L4J/4tx0oV3+fOJX57azuvH0eEMXFD2e+Jj/0saD+vmxnUspkKvUI=
=GGVZ
-----END PGP SIGNATURE-----
Reply sent
to Markus Frosch <lazyfrosch@debian.org>:
You have taken responsibility.
(Fri, 25 Mar 2016 11:18:24 GMT) (full text, mbox, link).
Notification sent
to David Prévot <taffit@debian.org>:
Bug acknowledged by developer.
(Fri, 25 Mar 2016 11:18:24 GMT) (full text, mbox, link).
Message #25 received at 813849-close@bugs.debian.org (full text, mbox, reply):
Source: php-dompdf
Source-Version: 0.6.1+dfsg-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
php-dompdf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 813849@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Frosch <lazyfrosch@debian.org> (supplier of updated php-dompdf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 24 Mar 2016 22:07:34 +0100
Source: php-dompdf
Binary: php-dompdf
Architecture: source all
Version: 0.6.1+dfsg-2+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Markus Frosch <lazyfrosch@debian.org>
Description:
php-dompdf - HTML to PDF converter
Closes: 813849
Changes:
php-dompdf (0.6.1+dfsg-2+deb8u1) jessie; urgency=medium
.
* [22610bd] Add 0.6.2 hotfix patch which bundles CVE hotfixes from the
upstream release. (Closes: #813849)
.
This is a security-focused release that addresses a number of
vulnerabilities that can expose your system to exploitation. In tandem
with this release we have also posted a document to the wiki with advice
for securing dompdf [1]. Please read the new document and take appropriate
measures to protect your systems.
.
This update addresses the following announced vulnerabilities:
.
* CVE-2014-5011 - Information Disclosure
* CVE-2014-5012 - Denial Of Service Vector
* CVE-2014-5013 - Remote Code Execution (complement of CVE-2014-2383)
Checksums-Sha1:
7c7c752f4d93d67e4e04e276f64816c63de520ab 1808 php-dompdf_0.6.1+dfsg-2+deb8u1.dsc
ba09be261e509b17ddd1ffd3737be85dafa02638 21616 php-dompdf_0.6.1+dfsg-2+deb8u1.debian.tar.xz
35a4105c914adefdb1cf26cc5e809950be32a247 937090 php-dompdf_0.6.1+dfsg-2+deb8u1_all.deb
Checksums-Sha256:
5bc3486f6f043775603e97e764b38f12a8efd7ab64350e32df6ca4b12254157c 1808 php-dompdf_0.6.1+dfsg-2+deb8u1.dsc
d2783402fd3c811ef3c31ce82bbe9417f58de173c8021a404a1169caa4764f1d 21616 php-dompdf_0.6.1+dfsg-2+deb8u1.debian.tar.xz
fd14cdc4e0132dfcae854e1a2e7685e9551c823b24f0af24a6624e3f04df8c11 937090 php-dompdf_0.6.1+dfsg-2+deb8u1_all.deb
Files:
8fc644796189eee0e3a74ef2f82390ca 1808 php optional php-dompdf_0.6.1+dfsg-2+deb8u1.dsc
8684b4d3becf616e76e79bdc4ccd96b9 21616 php optional php-dompdf_0.6.1+dfsg-2+deb8u1.debian.tar.xz
c46dff1126b0fb73a985dc5c698544d6 937090 php optional php-dompdf_0.6.1+dfsg-2+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJW9FkbAAoJEPJhXZqrmHtuoAYH/2MescthhQ5quv0HncmRR1Pu
603Bz7JOl4Ah/IVG2HvE0TQLG9oVjEqqsKB29+uIuYvG8pnc6ys2PihaqXa6JNiE
8RcW+xkE4tvsI1JNnnWOsX2w6gGVz1NCgbP0LPBiq4n0LP3wZ+yEwZALjRtDQ4Dh
7dzUx/HgYiIxKh4tAsOY+Xl6Cb2thtk1LkaUfnTPvIplRCMXOSuVrGPeFdijoqPp
CLDX1wQiIZO+ilNumYYoX4e63SaAjumhtJETFYAWp2L4ZBs9KAW+EN+AGBXYg7fq
WdULC6gX2dQX+S9LYN+nqnr6HCGvnfO9jwLOcLyom5f05tTuZAgi/jAZfTV7Ztg=
=QFnL
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 23 Apr 2016 07:29:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:02:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon