Debian Bug report logs -
#671880
php5: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)
Reported by: Henri Salo <henri@nerv.fi>
Date: Mon, 7 May 2012 19:57:02 UTC
Severity: important
Tags: security
Found in version php5/5.4.2-1
Fixed in versions php5/5.4.3-1, php5/5.3.3-7+squeeze9
Done: Ondřej Surý <ondrej@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
:
Bug#671880
; Package php5
.
(Mon, 07 May 2012 19:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Henri Salo <henri@nerv.fi>
:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
.
(Mon, 07 May 2012 19:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5
Version: 5.4.2-1
Severity: important
Tags: security
http://seclists.org/oss-sec/2012/q2/249
quote:
Hi,
I guess most of you have heard of this one already, yet it should be in
here as well. The original issue was tracked as CERT VU#520827,
CVE-2012-1823. PHP 5.4.2 and 5.3.12 were released with an incomplete
fix, and apparently CVE-2012-2311 refers to that incomplete fix issue.
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html
http://www.kb.cert.org/vuls/id/520827
http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/
http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/
http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html
http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian)
Alexander
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.3.3-7+squeeze8 server-side, HTML-embedded scripti
ii php5-cgi 5.3.3-7+squeeze8 server-side, HTML-embedded scripti
ii php5-common 5.3.3-7+squeeze8 Common files for packages built fr
php5 recommends no packages.
php5 suggests no packages.
-- no debconf information
Marked as fixed in versions php5/5.4.3-1 and php5/5.3.3-7+squeeze9.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org
.
(Mon, 06 Aug 2012 10:21:03 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org
.
(Mon, 06 Aug 2012 10:21:03 GMT) (full text, mbox, link).
Notification sent
to Henri Salo <henri@nerv.fi>
:
Bug acknowledged by developer.
(Mon, 06 Aug 2012 10:21:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 04 Sep 2012 07:30:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:11:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.