Debian Bug report logs -
#347894
php5: Two security problems in PHP5
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 13 Jan 2006 11:33:02 UTC
Severity: grave
Tags: security
Fixed in version php5/5.1.2-1
Done: Adam Conrad <adconrad@0c3.net>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#347894; Package php5.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5
Severity: grave
Tags: security
Justification: user security hole
Two security problems have been found in PHP5. For details please see
http://www.hardened-php.net/advisory_012006.112.html
http://www.hardened-php.net/advisory_022006.113.html
PHP 4 is not affected, so this only affects testing and sid.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Reply sent to Adam Conrad <adconrad@0c3.net>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 347894-close@bugs.debian.org (full text, mbox, reply):
Source: php5
Source-Version: 5.1.2-1
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:
libapache-mod-php5_5.1.2-1_i386.deb
to pool/main/p/php5/libapache-mod-php5_5.1.2-1_i386.deb
libapache2-mod-php5_5.1.2-1_i386.deb
to pool/main/p/php5/libapache2-mod-php5_5.1.2-1_i386.deb
php-pear_5.1.2-1_all.deb
to pool/main/p/php5/php-pear_5.1.2-1_all.deb
php5-cgi_5.1.2-1_i386.deb
to pool/main/p/php5/php5-cgi_5.1.2-1_i386.deb
php5-cli_5.1.2-1_i386.deb
to pool/main/p/php5/php5-cli_5.1.2-1_i386.deb
php5-common_5.1.2-1_i386.deb
to pool/main/p/php5/php5-common_5.1.2-1_i386.deb
php5-curl_5.1.2-1_i386.deb
to pool/main/p/php5/php5-curl_5.1.2-1_i386.deb
php5-dev_5.1.2-1_i386.deb
to pool/main/p/php5/php5-dev_5.1.2-1_i386.deb
php5-gd_5.1.2-1_i386.deb
to pool/main/p/php5/php5-gd_5.1.2-1_i386.deb
php5-ldap_5.1.2-1_i386.deb
to pool/main/p/php5/php5-ldap_5.1.2-1_i386.deb
php5-mhash_5.1.2-1_i386.deb
to pool/main/p/php5/php5-mhash_5.1.2-1_i386.deb
php5-mysql_5.1.2-1_i386.deb
to pool/main/p/php5/php5-mysql_5.1.2-1_i386.deb
php5-odbc_5.1.2-1_i386.deb
to pool/main/p/php5/php5-odbc_5.1.2-1_i386.deb
php5-pgsql_5.1.2-1_i386.deb
to pool/main/p/php5/php5-pgsql_5.1.2-1_i386.deb
php5-recode_5.1.2-1_i386.deb
to pool/main/p/php5/php5-recode_5.1.2-1_i386.deb
php5-snmp_5.1.2-1_i386.deb
to pool/main/p/php5/php5-snmp_5.1.2-1_i386.deb
php5-sqlite_5.1.2-1_i386.deb
to pool/main/p/php5/php5-sqlite_5.1.2-1_i386.deb
php5-sybase_5.1.2-1_i386.deb
to pool/main/p/php5/php5-sybase_5.1.2-1_i386.deb
php5-xmlrpc_5.1.2-1_i386.deb
to pool/main/p/php5/php5-xmlrpc_5.1.2-1_i386.deb
php5-xsl_5.1.2-1_i386.deb
to pool/main/p/php5/php5-xsl_5.1.2-1_i386.deb
php5_5.1.2-1.diff.gz
to pool/main/p/php5/php5_5.1.2-1.diff.gz
php5_5.1.2-1.dsc
to pool/main/p/php5/php5_5.1.2-1.dsc
php5_5.1.2-1_all.deb
to pool/main/p/php5/php5_5.1.2-1_all.deb
php5_5.1.2.orig.tar.gz
to pool/main/p/php5/php5_5.1.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 347894@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 16 Jan 2006 16:12:31 +1100
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mysql php5-common php5-snmp php5-dev php5-sqlite libapache-mod-php5
Architecture: source i386 all
Version: 5.1.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description:
libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 module)
libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2.0 module)
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (meta-package)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dev - Files for PHP5 module development
php5-gd - GD module for php5
php5-ldap - LDAP module for php5
php5-mhash - MHASH module for php5
php5-mysql - MySQL module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 346479 346501 346550 347894
Changes:
php5 (5.1.2-1) unstable; urgency=low
.
* New upstream bugfix and security update release (closes: #347894)
- Fixes multiple cross-site-scripting vulnerabilities; CVE-2006-0208
- Resolves multiple HTTP response splitting vulnerabilities, allowing
arbitrary header injection via Set-Cookie headers; see CVE-2006-0207
- While we don't currently build it, this release also fixes a format
string vulnerability in the mysqli extension; see CVE-2006-0200
- Includes a new version of the PEAR installer that seems to have a
slightly better clue about the difference between INSTALL_ROOT and
PHP_PEAR_INSTALL_DIR, fixing pear.conf (closes: #346479, #346501)
* While the above is partially true, the PEAR installer is still a bit
broken (it won't install correctly under fakeroot anymore, YAY), so
shuffle debian/rules to have a build-pear-stamp target, as a stopgap.
* Add 106-strptime_xopen.patch, moving the _XOPEN_SOURCE definition down
in ext/standard/datetime.c, below the php.h include (closes: #346550)
* Add 107-reflection_is_ext.patch, munging ext/reflection/config.m4 to
properly call the PHP_ARG_ENABLE macro for an extension, not built-in.
* Stop php-pear from Replacing and Conflicting with php-html-template-it,
as we only now ship the bare essential to make the pear installer go.
Files:
3621a044d82dc672ae54653a4fe7c75f 1778 web optional php5_5.1.2-1.dsc
b5b6564e8c6a0d5bc1d2b4787480d792 8064193 web optional php5_5.1.2.orig.tar.gz
4f9feaaf0c72d9ae2f7497364ea227e6 97057 web optional php5_5.1.2-1.diff.gz
03b3a6a8c06c8bf05fc9796832616602 130434 web optional php5-common_5.1.2-1_i386.deb
243d124b9c54b564210230ad7bdf0060 2339380 web optional libapache-mod-php5_5.1.2-1_i386.deb
047db563ca967986c4096be789d4817a 2340960 web optional libapache2-mod-php5_5.1.2-1_i386.deb
dea271367841591494c6bd0c14547cdd 4635746 web optional php5-cgi_5.1.2-1_i386.deb
e6f53a094ea7fa46f49ba142704f4929 2328658 web optional php5-cli_5.1.2-1_i386.deb
5cec13d581c65fc3c832406530675ad5 312520 devel optional php5-dev_5.1.2-1_i386.deb
0a64f56fc0b55439dc60a890536ddfea 23802 web optional php5-curl_5.1.2-1_i386.deb
661ef5eeec364d8176ba687954428dea 34122 web optional php5-gd_5.1.2-1_i386.deb
e92ce6b3cab82150302dccfce2a49a20 20668 web optional php5-ldap_5.1.2-1_i386.deb
ce64ee5db6873056ca23b93e90f6a6f7 8528 web optional php5-mhash_5.1.2-1_i386.deb
20d6bdac41301a9160f00e0be2bc15df 23028 web optional php5-mysql_5.1.2-1_i386.deb
be60c39a1ee98221860fcc979b8421e3 28270 web optional php5-odbc_5.1.2-1_i386.deb
1e69c6dd1a80139fc64bcb3ab981aeac 41894 web optional php5-pgsql_5.1.2-1_i386.deb
c348f22e7809e2c389ad67df99dbec33 8192 web optional php5-recode_5.1.2-1_i386.deb
de7a836d1dfeaa73ea7cae0b964a9665 14626 web optional php5-snmp_5.1.2-1_i386.deb
6e8cb69882b53b19d22dfb2395fd80a4 26956 web optional php5-sqlite_5.1.2-1_i386.deb
489e2ca4bb90146884c5f8c926cf5492 21392 web optional php5-sybase_5.1.2-1_i386.deb
47b18c6bef42a836d5a081ee0f2842b4 39628 web optional php5-xmlrpc_5.1.2-1_i386.deb
3b7f2f0671cd27d9e3b1fadf1044258f 15606 web optional php5-xsl_5.1.2-1_i386.deb
18f59d15b1cb6d6d5e586436dc864571 1036 web optional php5_5.1.2-1_all.deb
fa3a3d105b652f5541a3419be7336a99 301962 web optional php-pear_5.1.2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDzeZBvjztR8bOoMkRAkjAAKC8Ty2T/KHPKM6kVdvCgrVMwe+vQACgrbrx
XF4IU09C1On7TZ/KZ5lWp8g=
=qgX6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 05:54:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:06:41 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon