Debian Bug report logs -
#751364
php5: CVE-2014-4049: heap-based buffer overflow in DNS TXT record parsing
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 12 Jun 2014 06:21:07 UTC
Severity: grave
Tags: security, upstream
Found in version php5/5.3.3-7
Fixed in versions php5/5.4.4-14+deb7u11, php5/5.6.0~beta4+dfsg-3
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#751364
; Package src:php5
.
(Thu, 12 Jun 2014 06:21:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Thu, 12 Jun 2014 06:21:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: php5
Severity: grave
Tags: security upstream
Hi
A heap-based buffer overflow was commited in [1], Red Hat Bugzilla
reference at [2].
[1] https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1108447
A CVE assignment is pending. Could you also mark affected versions for
the BTS? From a quick(!) look it seems that all versions have the
vulnerable code present.
Regards,
Salvatore
Changed Bug title to 'php5: CVE-2014-4049: heap-based buffer overflow in DNS TXT record parsing' from 'php5: heap-based buffer overflow in DNS TXT record parsing'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 13 Jun 2014 06:21:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#751364
; Package src:php5
.
(Sat, 14 Jun 2014 09:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ondřej Surý <ondrej@sury.org>
:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Sat, 14 Jun 2014 09:57:04 GMT) (full text, mbox, link).
Message #12 received at 751364@bugs.debian.org (full text, mbox, reply):
Hi Salvatore,
I have prepared versions for unstable (already uploaded) and for wheezy
(compiling right now) with patch from upstream.
I'll submit it to team@s.d.o after it finishes the compilation.
Whoever is doing squeeze LTS feel free to cherry-pick from git and
commit back to our git.
O.
On Thu, Jun 12, 2014, at 8:19, Salvatore Bonaccorso wrote:
> Source: php5
> Severity: grave
> Tags: security upstream
>
> Hi
>
> A heap-based buffer overflow was commited in [1], Red Hat Bugzilla
> reference at [2].
>
> [1]
> https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468
> [2] https://bugzilla.redhat.com/show_bug.cgi?id=1108447
>
> A CVE assignment is pending. Could you also mark affected versions for
> the BTS? From a quick(!) look it seems that all versions have the
> vulnerable code present.
>
> Regards,
> Salvatore
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
--
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
Marked as found in versions php5/5.3.3-7.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 14 Jun 2014 13:06:05 GMT) (full text, mbox, link).
Marked as fixed in versions php5/5.6.0~beta4+dfsg-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 14 Jun 2014 13:09:05 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 14 Jun 2014 13:09:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 14 Jun 2014 13:09:07 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#751364.
(Sat, 14 Jun 2014 13:09:10 GMT) (full text, mbox, link).
Message #23 received at 751364-submitter@bugs.debian.org (full text, mbox, reply):
# mark as found in common ancenstor of oldstable, stable and unstable
found 751364 5.3.3-7
# fixed with the recent unstable upload
close 751364 5.6.0~beta4+dfsg-3
thanks
Updating the found/fixed information for #751364.
Marked as fixed in versions php5/5.4.4-14+deb7u11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 16 Jun 2014 19:33:08 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 10 Aug 2014 07:35:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:31:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.