Debian Bug report logs -
#603751
Three more security issues
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Tue, 16 Nov 2010 22:33:02 UTC
Severity: important
Tags: security
Fixed in versions php5/5.3.3-4, 5.3.3-4
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Tue, 16 Nov 2010 22:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Tue, 16 Nov 2010 22:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5
Severity: important
Tags: security
Hi Ondrey,
unfortunately there are three more security issue affecting PHP in Squeeze.
Filing as important to not block the current upload, but we should get
this fixed for Squeeze:
The following CVE links contain links to patches:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5 depends on:
pn libapache2-mod-php5 | libapac <none> (no description available)
pn php5-common <none> (no description available)
php5 recommends no packages.
php5 suggests no packages.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Wed, 17 Nov 2010 08:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Wed, 17 Nov 2010 08:18:03 GMT) (full text, mbox, link).
Message #10 received at 603751@bugs.debian.org (full text, mbox, reply):
tag 603751 pending
thanks
Date: Wed Nov 17 09:14:19 2010 +0100
Author: Ondřej Surý <ondrej@sury.org>
Commit ID: 56ed9f3d516710a6a36a2034fe171f0bf00c3288
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=56ed9f3d516710a6a36a2034fe171f0bf00c3288
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=56ed9f3d516710a6a36a2034fe171f0bf00c3288
Pull fixes for CVE-2010-3709, CVE-2010-3870, CVE-2010-4156 from
upstream svn.
Closes: #603751
Added tag(s) pending.
Request was from Ondřej Surý <ondrej@sury.org>
to control@bugs.debian.org
.
(Wed, 17 Nov 2010 08:18:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Wed, 17 Nov 2010 09:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Wed, 17 Nov 2010 09:09:03 GMT) (full text, mbox, link).
Message #17 received at 603751@bugs.debian.org (full text, mbox, reply):
Hi Moritz, Adam,
thanks for heads up. I have cherry-picked fixes and they are in php
git. Do you need any help with backporting those to lenny? Anyway I am
going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
that I am going to upload 5.3.3-4.
Meanwhile I thought it might be a good idea to went through svn log
and I have found some more issues we might think about fixing
(basically I went through the log and have checked all crashes,
segfaults and leaks). The fixes below are small, self-contained and I
have hand checked them all for sanity. There's even one CVE in
openbasedir which we have not catched before.
Adam, what do you think. Do you want me to submit just CVE fixes or I
should go ahead and cherry-pick all those fixes below?
Ondrej.
------------------------------------------------------------------------
r305416 | felipe | 2010-11-16 22:02:14 +0100 (Út, 16 lis 2010) | 3 lines
- Fixed bug #53323 (pdo_firebird getAttribute() crash)
patch by: preeves at ibphoenix dot com
------------------------------------------------------------------------
r304447 | felipe | 2010-10-16 19:52:01 +0200 (So, 16 říj 2010) | 2 lines
- Fixed bug #53070 (Calling enchant_broker_get_dict_path before
set_path crashes php)
------------------------------------------------------------------------
r303895 | dmitry | 2010-09-30 16:11:51 +0200 (Čt, 30 zář 2010) | 2 lines
Prevented crash in GC because of incorrect reference counting
------------------------------------------------------------------------
r303839 | felipe | 2010-09-29 03:25:35 +0200 (St, 29 zář 2010) | 2 lines
- Fixed bug #52947 (segfault when ssl stream option
capture_peer_cert_chain used)
------------------------------------------------------------------------
r303824 | pajoye | 2010-09-28 15:29:33 +0200 (Út, 28 zář 2010) | 1 line
- Fixed possible flaw in open_basedir (CVE-2010-3436)
------------------------------------------------------------------------
r303375 | felipe | 2010-09-15 04:12:46 +0200 (St, 15 zář 2010) | 2 lines
- Fixed bug #52843 (Segfault when optional parameters are not passed
in to mssql_connect)
------------------------------------------------------------------------
r303361 | aharvey | 2010-09-14 12:58:59 +0200 (Út, 14 zář 2010) | 3 lines
Fix bug #52827 (cURL leaks handle and causes assertion error (CURLOPT_STDERR)).
Patch by Gustavo.
------------------------------------------------------------------------
r302457 | kalle | 2010-08-18 22:16:05 +0200 (St, 18 srp 2010) | 3 lines
Fixed possible crash in php_mssql_get_column_content_without_type()
------------------------------------------------------------------------
r302085 | felipe | 2010-08-11 00:37:24 +0200 (St, 11 srp 2010) | 2 lines
- Fixed bug #52573 (SplFileObject::fscanf Segmentation fault)
------------------------------------------------------------------------
r302011 | felipe | 2010-08-09 01:56:29 +0200 (Po, 09 srp 2010) | 2 lines
- Fixed bug #50481 (Storing many SPLFixedArray in an array crashes)
------------------------------------------------------------------------
r301706 | felipe | 2010-07-30 01:38:55 +0200 (Pá, 30 čec 2010) | 2 lines
- Fixed bug #52487 (PDO::FETCH_INTO leaks memory)
Ondrej
On Tue, Nov 16, 2010 at 23:30, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Package: php5
> Severity: important
> Tags: security
>
> Hi Ondrey,
> unfortunately there are three more security issue affecting PHP in Squeeze.
>
> Filing as important to not block the current upload, but we should get
> this fixed for Squeeze:
>
> The following CVE links contain links to patches:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3870
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709
>
> Cheers,
> Moritz
>
> -- System Information:
> Debian Release: squeeze/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
> Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages php5 depends on:
> pn libapache2-mod-php5 | libapac <none> (no description available)
> pn php5-common <none> (no description available)
>
> php5 recommends no packages.
>
> php5 suggests no packages.
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>
--
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Wed, 17 Nov 2010 20:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Wed, 17 Nov 2010 20:09:05 GMT) (full text, mbox, link).
Message #22 received at 603751@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 17, 2010 at 10:05:35AM +0100, Ondřej Surý wrote:
> Hi Moritz, Adam,
>
> thanks for heads up. I have cherry-picked fixes and they are in php
> git. Do you need any help with backporting those to lenny?
Raphael usually takes care of php5 for Lenny. IIRC there're a
lenny-branch in php-pkg svn, so you could already commit them.
> Meanwhile I thought it might be a good idea to went through svn log
> and I have found some more issues we might think about fixing
> (basically I went through the log and have checked all crashes,
> segfaults and leaks). The fixes below are small, self-contained and I
> have hand checked them all for sanity. There's even one CVE in
> openbasedir which we have not catched before.
open_basedir violations are not treated as security issues, see
README.Debian.security.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Wed, 17 Nov 2010 20:36:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Wed, 17 Nov 2010 20:36:06 GMT) (full text, mbox, link).
Message #27 received at 603751@bugs.debian.org (full text, mbox, reply):
On Wed, 2010-11-17 at 10:05 +0100, Ondřej Surý wrote:
> thanks for heads up. I have cherry-picked fixes and they are in php
> git. Do you need any help with backporting those to lenny? Anyway I am
> going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
> that I am going to upload 5.3.3-4.
>
> Meanwhile I thought it might be a good idea to went through svn log
[...]
> The fixes below are small, self-contained and I
> have hand checked them all for sanity. There's even one CVE in
> openbasedir which we have not catched before.
I don't mind fixing the issues you mentioned if you think they're
important enough at this stage. However, I'd prefer that an upload
including such fixes did not have high urgency, so it may depend how
urgent getting the security fixes in to Squeeze is.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Wed, 17 Nov 2010 21:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Wed, 17 Nov 2010 21:39:03 GMT) (full text, mbox, link).
Message #32 received at 603751@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 17, 2010 at 21:32, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> On Wed, 2010-11-17 at 10:05 +0100, Ondřej Surý wrote:
>> thanks for heads up. I have cherry-picked fixes and they are in php
>> git. Do you need any help with backporting those to lenny? Anyway I am
>> going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
>> that I am going to upload 5.3.3-4.
>>
>> Meanwhile I thought it might be a good idea to went through svn log
> [...]
>> The fixes below are small, self-contained and I
>> have hand checked them all for sanity. There's even one CVE in
>> openbasedir which we have not catched before.
>
> I don't mind fixing the issues you mentioned if you think they're
> important enough at this stage. However, I'd prefer that an upload
> including such fixes did not have high urgency, so it may depend how
> urgent getting the security fixes in to Squeeze is.
That's fair since we are waiting for 5.3.3-3 to be in squeeze anyway
and I think that those three CVEs are not that urgent. Moritz could
you correct me if I am wrong? So I am going to upload 5.3.3-4 (it's
already built) with those changes I mentioned when 5.3.3-3 has
migrated to testing.
Ondrej
--
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Wed, 17 Nov 2010 21:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Wed, 17 Nov 2010 21:42:06 GMT) (full text, mbox, link).
Message #37 received at 603751@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 17, 2010 at 21:06, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Wed, Nov 17, 2010 at 10:05:35AM +0100, Ondřej Surý wrote:
>> Hi Moritz, Adam,
>>
>> thanks for heads up. I have cherry-picked fixes and they are in php
>> git. Do you need any help with backporting those to lenny?
>
> Raphael usually takes care of php5 for Lenny. IIRC there're a
> lenny-branch in php-pkg svn, so you could already commit them.
Since Raphael's last message was that he's going to be offline, it's
probably up to me :-/. I'll see what I can do.
>> Meanwhile I thought it might be a good idea to went through svn log
>> and I have found some more issues we might think about fixing
>> (basically I went through the log and have checked all crashes,
>> segfaults and leaks). The fixes below are small, self-contained and I
>> have hand checked them all for sanity. There's even one CVE in
>> openbasedir which we have not catched before.
>
> open_basedir violations are not treated as security issues, see
> README.Debian.security.
I know and I wasn't suggesting to prepare security release in lenny.
Sorry for not being clear. Anyway I think it's worth fixing for
squeeze.
O.
--
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Wed, 17 Nov 2010 22:33:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Wed, 17 Nov 2010 22:33:08 GMT) (full text, mbox, link).
Message #42 received at 603751@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 17, 2010 at 10:36:21PM +0100, Ondřej Surý wrote:
> On Wed, Nov 17, 2010 at 21:32, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> > On Wed, 2010-11-17 at 10:05 +0100, Ondřej Surý wrote:
> >> thanks for heads up. I have cherry-picked fixes and they are in php
> >> git. Do you need any help with backporting those to lenny? Anyway I am
> >> going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
> >> that I am going to upload 5.3.3-4.
> >>
> >> Meanwhile I thought it might be a good idea to went through svn log
> > [...]
> >> The fixes below are small, self-contained and I
> >> have hand checked them all for sanity. There's even one CVE in
> >> openbasedir which we have not catched before.
> >
> > I don't mind fixing the issues you mentioned if you think they're
> > important enough at this stage. However, I'd prefer that an upload
> > including such fixes did not have high urgency, so it may depend how
> > urgent getting the security fixes in to Squeeze is.
>
> That's fair since we are waiting for 5.3.3-3 to be in squeeze anyway
> and I think that those three CVEs are not that urgent. Moritz could
> you correct me if I am wrong? So I am going to upload 5.3.3-4 (it's
> already built) with those changes I mentioned when 5.3.3-3 has
> migrated to testing.
Ack.
Cheers,
Moritz
Reply sent
to Ondřej Surý <ondrej@debian.org>
:
You have taken responsibility.
(Thu, 18 Nov 2010 18:06:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Thu, 18 Nov 2010 18:06:03 GMT) (full text, mbox, link).
Message #47 received at 603751-close@bugs.debian.org (full text, mbox, reply):
Source: php5
Source-Version: 5.3.3-4
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:
libapache2-mod-php5_5.3.3-4_amd64.deb
to main/p/php5/libapache2-mod-php5_5.3.3-4_amd64.deb
libapache2-mod-php5filter_5.3.3-4_amd64.deb
to main/p/php5/libapache2-mod-php5filter_5.3.3-4_amd64.deb
php-pear_5.3.3-4_all.deb
to main/p/php5/php-pear_5.3.3-4_all.deb
php5-cgi_5.3.3-4_amd64.deb
to main/p/php5/php5-cgi_5.3.3-4_amd64.deb
php5-cli_5.3.3-4_amd64.deb
to main/p/php5/php5-cli_5.3.3-4_amd64.deb
php5-common_5.3.3-4_amd64.deb
to main/p/php5/php5-common_5.3.3-4_amd64.deb
php5-curl_5.3.3-4_amd64.deb
to main/p/php5/php5-curl_5.3.3-4_amd64.deb
php5-dbg_5.3.3-4_amd64.deb
to main/p/php5/php5-dbg_5.3.3-4_amd64.deb
php5-dev_5.3.3-4_amd64.deb
to main/p/php5/php5-dev_5.3.3-4_amd64.deb
php5-enchant_5.3.3-4_amd64.deb
to main/p/php5/php5-enchant_5.3.3-4_amd64.deb
php5-gd_5.3.3-4_amd64.deb
to main/p/php5/php5-gd_5.3.3-4_amd64.deb
php5-gmp_5.3.3-4_amd64.deb
to main/p/php5/php5-gmp_5.3.3-4_amd64.deb
php5-imap_5.3.3-4_amd64.deb
to main/p/php5/php5-imap_5.3.3-4_amd64.deb
php5-interbase_5.3.3-4_amd64.deb
to main/p/php5/php5-interbase_5.3.3-4_amd64.deb
php5-intl_5.3.3-4_amd64.deb
to main/p/php5/php5-intl_5.3.3-4_amd64.deb
php5-ldap_5.3.3-4_amd64.deb
to main/p/php5/php5-ldap_5.3.3-4_amd64.deb
php5-mcrypt_5.3.3-4_amd64.deb
to main/p/php5/php5-mcrypt_5.3.3-4_amd64.deb
php5-mysql_5.3.3-4_amd64.deb
to main/p/php5/php5-mysql_5.3.3-4_amd64.deb
php5-odbc_5.3.3-4_amd64.deb
to main/p/php5/php5-odbc_5.3.3-4_amd64.deb
php5-pgsql_5.3.3-4_amd64.deb
to main/p/php5/php5-pgsql_5.3.3-4_amd64.deb
php5-pspell_5.3.3-4_amd64.deb
to main/p/php5/php5-pspell_5.3.3-4_amd64.deb
php5-recode_5.3.3-4_amd64.deb
to main/p/php5/php5-recode_5.3.3-4_amd64.deb
php5-snmp_5.3.3-4_amd64.deb
to main/p/php5/php5-snmp_5.3.3-4_amd64.deb
php5-sqlite_5.3.3-4_amd64.deb
to main/p/php5/php5-sqlite_5.3.3-4_amd64.deb
php5-sybase_5.3.3-4_amd64.deb
to main/p/php5/php5-sybase_5.3.3-4_amd64.deb
php5-tidy_5.3.3-4_amd64.deb
to main/p/php5/php5-tidy_5.3.3-4_amd64.deb
php5-xmlrpc_5.3.3-4_amd64.deb
to main/p/php5/php5-xmlrpc_5.3.3-4_amd64.deb
php5-xsl_5.3.3-4_amd64.deb
to main/p/php5/php5-xsl_5.3.3-4_amd64.deb
php5_5.3.3-4.diff.gz
to main/p/php5/php5_5.3.3-4.diff.gz
php5_5.3.3-4.dsc
to main/p/php5/php5_5.3.3-4.dsc
php5_5.3.3-4_all.deb
to main/p/php5/php5_5.3.3-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 603751@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 17 Nov 2010 10:31:58 +0100
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.3.3-4
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (metapackage)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dbg - Debug symbols for PHP5
php5-dev - Files for PHP5 module development
php5-enchant - Enchant module for php5
php5-gd - GD module for php5
php5-gmp - GMP module for php5
php5-imap - IMAP module for php5
php5-interbase - interbase/firebird module for php5
php5-intl - internationalisation module for php5
php5-ldap - LDAP module for php5
php5-mcrypt - MCrypt module for php5
php5-mysql - MySQL module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-pspell - pspell module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-tidy - tidy module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 603751
Changes:
php5 (5.3.3-4) unstable; urgency=low
.
* Cherry pick patches for (Closes: #603751):
+ NULL pointer dereference in ZipArchive::getArchiveComment
(CVE-2010-3709)
+ utf8_decode xml_utf8_decode vulnerability (CVE-2010-3870)
+ mb_strcut() returns garbage with the excessive length parameter
(CVE-2010-4156)
+ possible flaw in open_basedir (CVE-2010-3436)
+ segfault in SplFileObject::fscanf
+ memory leak in PDO::FETCH_INTO
+ crash when storing many SPLFixedArray in an array
+ possible crash in php_mssql_get_column_content_without_type()
+ cURL leaks handle and causes assertion error (CURLOPT_STDERR)
+ segfault when optional parameters are not passed in to mssql_connect
+ segfault when ssl stream option capture_peer_cert_chain used
+ crash in GC because of incorrect reference counting
+ crash when calling enchant_broker_get_dict_path before set_path
+ crash in pdo_firebird getAttribute()
Checksums-Sha1:
457eac7da1dc90a192714cc34088a49b8406a729 2752 php5_5.3.3-4.dsc
893541250ffe73fdeb8a73f5f9f83c2c06be51a4 194053 php5_5.3.3-4.diff.gz
03a44542b01d864bda551899b0602fd51d2599a7 544928 php5-common_5.3.3-4_amd64.deb
5eb399bff32d6c3b0f34c8150f2c3cad62e853fc 3035544 libapache2-mod-php5_5.3.3-4_amd64.deb
09cdabd6a8a0c01cbe88e5fdaf2a9170d9208b42 3034724 libapache2-mod-php5filter_5.3.3-4_amd64.deb
d548a9a98f239ecfcecfa9f96d389563be6fe58f 5882584 php5-cgi_5.3.3-4_amd64.deb
2aca3201a09d8059977e9a6cd5b941a2c5aa7390 2940774 php5-cli_5.3.3-4_amd64.deb
c7a2af45841c64a983087ed02fb3a7b005153f4e 408872 php5-dev_5.3.3-4_amd64.deb
6506f3e4d3d43b4839eeb59d3759fae8c6be3ab4 10291630 php5-dbg_5.3.3-4_amd64.deb
0e45236c0025283219c5a10f7f54c950dbc4fa49 27024 php5-curl_5.3.3-4_amd64.deb
29d38de2c5474ca35a83f78e033811ed23b0f891 8956 php5-enchant_5.3.3-4_amd64.deb
bb1c2bdc089502e1d53aad082a58d2dbb420ad35 38934 php5-gd_5.3.3-4_amd64.deb
d3a5adf86fba45f0fe8a767b2405c9dacfa0e145 16410 php5-gmp_5.3.3-4_amd64.deb
43d83abcaa7b261a790b64796de7559abaa40928 34994 php5-imap_5.3.3-4_amd64.deb
19c3d3c2bcd3517ce8fd2e9feae860ab7a16d286 49366 php5-interbase_5.3.3-4_amd64.deb
b3d20a20d3a53e45031bac30cb0dd995e5ce7267 59352 php5-intl_5.3.3-4_amd64.deb
a042c4adc478eac3ecfff2ba4b2eb310a295df9a 19790 php5-ldap_5.3.3-4_amd64.deb
687769d00848587f565ef5ba6c13d506da4abb22 15178 php5-mcrypt_5.3.3-4_amd64.deb
d6e9208ae9de91d4ff9e769b6087ed026fd13ea3 76502 php5-mysql_5.3.3-4_amd64.deb
3f0448380967daf3825e3057821299ad4b6abaf8 35816 php5-odbc_5.3.3-4_amd64.deb
3e3857131826aae7d6feb81e1ed9e9087371a04e 60354 php5-pgsql_5.3.3-4_amd64.deb
7ccd3fd3576cb47a8e44bf27cd9accb048a72afe 8104 php5-pspell_5.3.3-4_amd64.deb
330867e8055efef36b53a1f151b6924cc6786c28 4316 php5-recode_5.3.3-4_amd64.deb
497334cc30fb9ff937783954c97a9b19cc92011e 11300 php5-snmp_5.3.3-4_amd64.deb
00acb00e33fdd217c10cd6228feb8c11747e47f9 56080 php5-sqlite_5.3.3-4_amd64.deb
97062fbb38356274a975bb66ba7a97c96487859d 26706 php5-sybase_5.3.3-4_amd64.deb
2b3d6c961ca432004f6407d456749026b04fa8d9 18220 php5-tidy_5.3.3-4_amd64.deb
c582d733ac2ccd8c43af93694e00ab01f3bd3943 34738 php5-xmlrpc_5.3.3-4_amd64.deb
6e7412aa6d568ea131659ba13c3efb9d9ba63b7e 13290 php5-xsl_5.3.3-4_amd64.deb
fadbdb5f427b115c64a3ca794152b7355d4cc619 1050 php5_5.3.3-4_all.deb
807f7276be2812a73a321e8fa2ba39180e3573b3 364592 php-pear_5.3.3-4_all.deb
Checksums-Sha256:
5ab20e2d43d9db8a0e94959366a0b7c4b46595026b5d0ad066da81576e80b2c2 2752 php5_5.3.3-4.dsc
99db8a46e6e81a23f21fb3712c5369e7e1615a8a9ae3eff0e3e46f74492d00a6 194053 php5_5.3.3-4.diff.gz
7afaeac24282ee5f512991065e5322e2cc5c95e940fecb1a433c7421a4fb693c 544928 php5-common_5.3.3-4_amd64.deb
686c5c2debd03e7cb201f4a6730535f0a7712b37cc5c6ce6a66918b3b6d0b61b 3035544 libapache2-mod-php5_5.3.3-4_amd64.deb
76948f7300d8a3886175b37f72a0a577332ed5aff383fb5096b5c917dd0a0b72 3034724 libapache2-mod-php5filter_5.3.3-4_amd64.deb
71f84a1faafdcb1954c726972d6faa7f5a7fb5bf03e8acbe1516b7659e86dfc8 5882584 php5-cgi_5.3.3-4_amd64.deb
d836b18603aef892273e622cb61b580eb81fbdccac7e98b2dc396c8d7f598d20 2940774 php5-cli_5.3.3-4_amd64.deb
6bd58833b02b29cdf57de0a94e08eeaf07217c2c02c3263d8181b4f3167ea85a 408872 php5-dev_5.3.3-4_amd64.deb
8a0ff33ed9df825a92652995b439134e4a5c956cc34c9fe470dfedd63a6e2a1e 10291630 php5-dbg_5.3.3-4_amd64.deb
465d8e2df82ab81dc6e095969db1fb24d83e5bba6aa1fe03a73e46f138330416 27024 php5-curl_5.3.3-4_amd64.deb
f36d198aa11b3f6ee58bb783420807b4e897125424cd8273f2f98f88c146a1b2 8956 php5-enchant_5.3.3-4_amd64.deb
db2eeeb123a88e68ccbefc97a1ca630f2ebda3028e0d9439669dcda3f2b2e97b 38934 php5-gd_5.3.3-4_amd64.deb
38bfe9eb7eda135476b92efc99762a6a24996c9ca5f2e1efaaabe0356b67e2ac 16410 php5-gmp_5.3.3-4_amd64.deb
09a543bacaef4bf1e896f3f1e1b92e6abf4d92dccbf94830b2d34bd5f85e1e41 34994 php5-imap_5.3.3-4_amd64.deb
5d610d872fb3d8034bfebee327a5c399ada3185d4e05c11389e8c5d2faa2335c 49366 php5-interbase_5.3.3-4_amd64.deb
acc3fefb4f4907e5593ba9ff99bfbe2cbb79684ba2b1cc6f4ef63e9f3f189300 59352 php5-intl_5.3.3-4_amd64.deb
75728aace6b7c168086446c68fa1e8fc953d471d500c63412e091ac1d250e62c 19790 php5-ldap_5.3.3-4_amd64.deb
d92dce9c9436d30983bc6fb057494372505a20da71e55bee529ae3e038f9e4f9 15178 php5-mcrypt_5.3.3-4_amd64.deb
fe4a722faba9a117894a9cbb10b9166620d746798a6636b399d19bc67d948eaa 76502 php5-mysql_5.3.3-4_amd64.deb
da4fa97231472265e7d328d08fa8d4abc59041a3b0a993568da40a207c8f9268 35816 php5-odbc_5.3.3-4_amd64.deb
661739034145d1b1dd055e739d563b00f6be6e3c5974ca2a3665149e2b2641db 60354 php5-pgsql_5.3.3-4_amd64.deb
c888418c4aa8476a9e90298f75b254c00e3bcb885f89ae02b77f0d2ec5ee9a5e 8104 php5-pspell_5.3.3-4_amd64.deb
ad86d42a2e60bf74552af28401cd43b2d5c1d5d6f14baf3d7a0157fea5e7dde8 4316 php5-recode_5.3.3-4_amd64.deb
af9b216277353c61214c76b3de71aba71db3046c64fbe6528f90853eb5705d18 11300 php5-snmp_5.3.3-4_amd64.deb
5f74789aba13ab4966d401368fe81e2cd1e4eba5a16c332f9a7490b88e24801e 56080 php5-sqlite_5.3.3-4_amd64.deb
a365ef4031b5cacf503d7864044ae98770d16e49150dbc26a27f177d230e51bb 26706 php5-sybase_5.3.3-4_amd64.deb
9eef047402d51b060b4d2323b12037ce9255539809aaad9b6c26720ab9fe4afb 18220 php5-tidy_5.3.3-4_amd64.deb
d1c888f45e7e9790bbe2f8c96a59feeb32458bfe654621253b12d9b99001102e 34738 php5-xmlrpc_5.3.3-4_amd64.deb
0376ea17587ac415b16aa5dc6adae696db5f56f9a5af6e74c5ad92e00937b935 13290 php5-xsl_5.3.3-4_amd64.deb
874a8bdf5804a413b2a46f13f6e8cb0acc0d825a4ba68ae44f8db10a53e3a66c 1050 php5_5.3.3-4_all.deb
1f14ad6ce7bbe4edb4745390a98da7fe1ffe0f0b1df3e23d6f3ea86775c4f5f0 364592 php-pear_5.3.3-4_all.deb
Files:
798eae125f4ec383468ebeb0aafd71b9 2752 php optional php5_5.3.3-4.dsc
54e04303b24adbd490066d6ba098bff5 194053 php optional php5_5.3.3-4.diff.gz
0cc85b25bf6d6b8b7ae2fcbf1401c5f6 544928 php optional php5-common_5.3.3-4_amd64.deb
98e0354e5aee0e5d5a26487a06342877 3035544 httpd optional libapache2-mod-php5_5.3.3-4_amd64.deb
de2acc53e8abe285059edea05c26f5b9 3034724 httpd optional libapache2-mod-php5filter_5.3.3-4_amd64.deb
904e6764ceacc2487d418a7ae558e187 5882584 php optional php5-cgi_5.3.3-4_amd64.deb
981a7d99b91dfe31a72013ae0f689e86 2940774 php optional php5-cli_5.3.3-4_amd64.deb
b56a6e0cb614fd39678a46ce2b2a7124 408872 php optional php5-dev_5.3.3-4_amd64.deb
029f047fc3f6a2e9ca7e64be3ddbe978 10291630 debug extra php5-dbg_5.3.3-4_amd64.deb
a8783be3a1daa437ed8f5e9fbb988091 27024 php optional php5-curl_5.3.3-4_amd64.deb
2b34fe776e9646277436939b56019614 8956 php optional php5-enchant_5.3.3-4_amd64.deb
321300871d9d807abb2afed4c025e9c5 38934 php optional php5-gd_5.3.3-4_amd64.deb
afa7edc2eb82374f260a5a8d4996a554 16410 php optional php5-gmp_5.3.3-4_amd64.deb
787249e6cb7ca98be0e8a8ee44fcd1a5 34994 php optional php5-imap_5.3.3-4_amd64.deb
3fe35cb401237f344305899e7404a653 49366 php optional php5-interbase_5.3.3-4_amd64.deb
2815c2d2c426d88d8230bee01f0d8f88 59352 php optional php5-intl_5.3.3-4_amd64.deb
117ff0b0f64106eb987a2bae36be4634 19790 php optional php5-ldap_5.3.3-4_amd64.deb
fffd1fe0615379b5a3beec6c34805c70 15178 php optional php5-mcrypt_5.3.3-4_amd64.deb
3e345b80538902f173ceadabc8d10695 76502 php optional php5-mysql_5.3.3-4_amd64.deb
cead47b1cddcc5830284bfe1dd360f47 35816 php optional php5-odbc_5.3.3-4_amd64.deb
afff3586f430d139bb57bca5cc5e7d09 60354 php optional php5-pgsql_5.3.3-4_amd64.deb
d1f04cff3788ca69099d85cd9fb5a949 8104 php optional php5-pspell_5.3.3-4_amd64.deb
59b71b699a7ab8b48c6a9fd6494b426d 4316 php optional php5-recode_5.3.3-4_amd64.deb
f91850846f0622b80fa44a7d2e3bf91e 11300 php optional php5-snmp_5.3.3-4_amd64.deb
b9c09a14718a3a9ae1a2696e5cc18005 56080 php optional php5-sqlite_5.3.3-4_amd64.deb
e6d1653209644e05b5803efc449c68e2 26706 php optional php5-sybase_5.3.3-4_amd64.deb
63ac91b2390c846663fb667e59f74431 18220 php optional php5-tidy_5.3.3-4_amd64.deb
9ccaca7d74c7ff7f072f421246ebf425 34738 php optional php5-xmlrpc_5.3.3-4_amd64.deb
14a3371c92ae9323c4179c51a7b14a17 13290 php optional php5-xsl_5.3.3-4_amd64.deb
cbedd95ed5b868ba1ffd10747abc0ee3 1050 php optional php5_5.3.3-4_all.deb
08abd135ed8296ac23e21c0b30e0e5c4 364592 php optional php-pear_5.3.3-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkzlZUwACgkQ9OZqfMIN8nOdQQCcCrpTbX7X8STDjzL1FzdWJ2jN
/m8AoJJ0oOf2XA8zhuLRNsk7iDlRp5ZI
=zhiQ
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Fri, 19 Nov 2010 06:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Fri, 19 Nov 2010 06:57:03 GMT) (full text, mbox, link).
Message #52 received at 603751@bugs.debian.org (full text, mbox, reply):
Adam,
I have uploaded 5.3.3-4 with urgency=low. Please unblock when you are
comfortable.
Thank you,
Ondrej
On Wed, Nov 17, 2010 at 22:36, Ondřej Surý <ondrej@debian.org> wrote:
> On Wed, Nov 17, 2010 at 21:32, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
>> On Wed, 2010-11-17 at 10:05 +0100, Ondřej Surý wrote:
>>> thanks for heads up. I have cherry-picked fixes and they are in php
>>> git. Do you need any help with backporting those to lenny? Anyway I am
>>> going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
>>> that I am going to upload 5.3.3-4.
>>>
>>> Meanwhile I thought it might be a good idea to went through svn log
>> [...]
>>> The fixes below are small, self-contained and I
>>> have hand checked them all for sanity. There's even one CVE in
>>> openbasedir which we have not catched before.
>>
>> I don't mind fixing the issues you mentioned if you think they're
>> important enough at this stage. However, I'd prefer that an upload
>> including such fixes did not have high urgency, so it may depend how
>> urgent getting the security fixes in to Squeeze is.
>
> That's fair since we are waiting for 5.3.3-3 to be in squeeze anyway
> and I think that those three CVEs are not that urgent. Moritz could
> you correct me if I am wrong? So I am going to upload 5.3.3-4 (it's
> already built) with those changes I mentioned when 5.3.3-3 has
> migrated to testing.
>
> Ondrej
> --
> Ondřej Surý <ondrej@sury.org>
> http://blog.rfc1925.org/
>
--
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Sun, 21 Nov 2010 16:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Adam D. Barratt" <adam@adam-barratt.org.uk>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Sun, 21 Nov 2010 16:30:03 GMT) (full text, mbox, link).
Message #57 received at 603751@bugs.debian.org (full text, mbox, reply):
On Fri, 2010-11-19 at 07:54 +0100, Ondřej Surý wrote:
> I have uploaded 5.3.3-4 with urgency=low. Please unblock when you are
> comfortable.
Unblocked; thanks.
Regards,
Adam
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#603751
; Package php5
.
(Fri, 26 Nov 2010 07:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Ralf Becker <rb@stylite.de>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Fri, 26 Nov 2010 07:30:03 GMT) (full text, mbox, link).
Message #62 received at 603751@bugs.debian.org (full text, mbox, reply):
Hi,
there are reports on EGroupware lists, that php5-5.3.3-4 is the first
PHP 5.3.3 version, usable with EGroupware.
All previous version segfaulted in many areas. Reported by docents of
Debian (and Ubuntu) users on all our lists.
Maybe that helps deciding about the urgency to include 5.3.3-4 into
Debian 6.
Ralf
--
Ralf Becker
Director Software Development
Stylite GmbH
[open style of IT]
Morschheimer Strasse 15
67292 Kirchheimbolanden
fon +49 (0) 6352 70629-0
fax +49 (0) 6352 70629-30
mailto: rb@stylite.de
www.stylite.de
www.egroupware.org
________________________________________________
Geschäftsführer Andre Keller,
Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951
Reply sent
to Ondřej Surý <ondrej@debian.org>
:
You have taken responsibility.
(Tue, 30 Nov 2010 14:27:12 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Tue, 30 Nov 2010 14:27:12 GMT) (full text, mbox, link).
Message #67 received at 603751-done@bugs.debian.org (full text, mbox, reply):
Version: 5.3.3-4
Thanks for the report. Closing the bug.
Ondrej
On Fri, Nov 26, 2010 at 08:09, Ralf Becker <rb@stylite.de> wrote:
> Hi,
>
> there are reports on EGroupware lists, that php5-5.3.3-4 is the first PHP
> 5.3.3 version, usable with EGroupware.
>
> All previous version segfaulted in many areas. Reported by docents of Debian
> (and Ubuntu) users on all our lists.
>
> Maybe that helps deciding about the urgency to include 5.3.3-4 into Debian
> 6.
>
> Ralf
> --
> Ralf Becker
> Director Software Development
>
> Stylite GmbH
> [open style of IT]
>
> Morschheimer Strasse 15
> 67292 Kirchheimbolanden
>
> fon +49 (0) 6352 70629-0
> fax +49 (0) 6352 70629-30
> mailto: rb@stylite.de
>
> www.stylite.de
> www.egroupware.org
> ________________________________________________
>
> Geschäftsführer Andre Keller,
> Gudrun Müller, Ralf Becker
> Registergericht Kaiserslautern HRB 30575
> Umsatzsteuer-Id / VAT-Id: DE214280951
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>
--
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 07 Jan 2011 07:34:37 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:23:26 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.