Three more security issues

Debian Bug report logs - #603751
Three more security issues

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Three more security issues

Date: Tue, 16 Nov 2010 23:30:47 +0100

Package: php5
Severity: important
Tags: security

Hi Ondrey,
unfortunately there are three more security issue affecting PHP in Squeeze.

Filing as important to not block the current upload, but we should get
this fixed for Squeeze:

The following CVE links contain links to patches:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5 depends on:
pn  libapache2-mod-php5 | libapac <none>     (no description available)
pn  php5-common                   <none>     (no description available)

php5 recommends no packages.

php5 suggests no packages.

Message #10 received at 603751@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: 603751@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [debian/debian-sid] Pull fixes for CVE-2010-3709, CVE-2010-3870, CVE-2010-4156 from

Date: Wed, 17 Nov 2010 08:15:39 +0000

tag 603751 pending
thanks

Date: Wed Nov 17 09:14:19 2010 +0100
Author: Ondřej Surý <ondrej@sury.org>
Commit ID: 56ed9f3d516710a6a36a2034fe171f0bf00c3288
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=56ed9f3d516710a6a36a2034fe171f0bf00c3288
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=56ed9f3d516710a6a36a2034fe171f0bf00c3288

    Pull fixes for CVE-2010-3709, CVE-2010-3870, CVE-2010-4156 from
    upstream svn.

    Closes: #603751
      

Message #17 received at 603751@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 603751@bugs.debian.org, debian-release@lists.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>

Subject: Re: [php-maint] Bug#603751: Three more security issues

Date: Wed, 17 Nov 2010 10:05:35 +0100

Hi Moritz, Adam,

thanks for heads up. I have cherry-picked fixes and they are in php
git. Do you need any help with backporting those to lenny? Anyway I am
going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
that I am going to upload 5.3.3-4.

Meanwhile I thought it might be a good idea to went through svn log
and I have found some more issues we might think about fixing
(basically I went through the log and have checked all crashes,
segfaults and leaks). The fixes below are small, self-contained and I
have hand checked them all for sanity. There's even one CVE in
openbasedir which we have not catched before.

Adam, what do you think. Do you want me to submit just CVE fixes or I
should go ahead and cherry-pick all those fixes below?

Ondrej.

------------------------------------------------------------------------
r305416 | felipe | 2010-11-16 22:02:14 +0100 (Út, 16 lis 2010) | 3 lines

- Fixed bug #53323 (pdo_firebird getAttribute() crash)
  patch by: preeves at ibphoenix dot com

------------------------------------------------------------------------
r304447 | felipe | 2010-10-16 19:52:01 +0200 (So, 16 říj 2010) | 2 lines

- Fixed bug #53070 (Calling enchant_broker_get_dict_path before
set_path crashes php)

------------------------------------------------------------------------
r303895 | dmitry | 2010-09-30 16:11:51 +0200 (Čt, 30 zář 2010) | 2 lines

Prevented crash in GC because of incorrect reference counting

------------------------------------------------------------------------
r303839 | felipe | 2010-09-29 03:25:35 +0200 (St, 29 zář 2010) | 2 lines

- Fixed bug #52947 (segfault when ssl stream option
capture_peer_cert_chain used)

------------------------------------------------------------------------
r303824 | pajoye | 2010-09-28 15:29:33 +0200 (Út, 28 zář 2010) | 1 line

- Fixed possible flaw in open_basedir (CVE-2010-3436)
------------------------------------------------------------------------
r303375 | felipe | 2010-09-15 04:12:46 +0200 (St, 15 zář 2010) | 2 lines

- Fixed bug #52843 (Segfault when optional parameters are not passed
in to mssql_connect)

------------------------------------------------------------------------
r303361 | aharvey | 2010-09-14 12:58:59 +0200 (Út, 14 zář 2010) | 3 lines

Fix bug #52827 (cURL leaks handle and causes assertion error (CURLOPT_STDERR)).
Patch by Gustavo.

------------------------------------------------------------------------
r302457 | kalle | 2010-08-18 22:16:05 +0200 (St, 18 srp 2010) | 3 lines

Fixed possible crash in php_mssql_get_column_content_without_type()

------------------------------------------------------------------------
r302085 | felipe | 2010-08-11 00:37:24 +0200 (St, 11 srp 2010) | 2 lines

- Fixed bug #52573 (SplFileObject::fscanf Segmentation fault)

------------------------------------------------------------------------
r302011 | felipe | 2010-08-09 01:56:29 +0200 (Po, 09 srp 2010) | 2 lines

- Fixed bug #50481 (Storing many SPLFixedArray in an array crashes)

------------------------------------------------------------------------
r301706 | felipe | 2010-07-30 01:38:55 +0200 (Pá, 30 čec 2010) | 2 lines

- Fixed bug #52487 (PDO::FETCH_INTO leaks memory)



Ondrej

On Tue, Nov 16, 2010 at 23:30, Moritz Muehlenhoff <jmm@debian.org> wrote:
> Package: php5
> Severity: important
> Tags: security
>
> Hi Ondrey,
> unfortunately there are three more security issue affecting PHP in Squeeze.
>
> Filing as important to not block the current upload, but we should get
> this fixed for Squeeze:
>
> The following CVE links contain links to patches:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4156
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3870
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3709
>
> Cheers,
>        Moritz
>
> -- System Information:
> Debian Release: squeeze/sid
>  APT prefers unstable
>  APT policy: (500, 'unstable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
> Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages php5 depends on:
> pn  libapache2-mod-php5 | libapac <none>     (no description available)
> pn  php5-common                   <none>     (no description available)
>
> php5 recommends no packages.
>
> php5 suggests no packages.
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #22 received at 603751@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Ondřej Surý <ondrej@debian.org>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 603751@bugs.debian.org, debian-release@lists.debian.org, "Adam D. Barratt" <adam@adam-barratt.org.uk>

Subject: Re: [php-maint] Bug#603751: Three more security issues

Date: Wed, 17 Nov 2010 21:06:53 +0100

On Wed, Nov 17, 2010 at 10:05:35AM +0100, Ondřej Surý wrote:
> Hi Moritz, Adam,
> 
> thanks for heads up. I have cherry-picked fixes and they are in php
> git. Do you need any help with backporting those to lenny? 

Raphael usually takes care of php5 for Lenny. IIRC there're a
lenny-branch in php-pkg svn, so you could already commit them.

> Meanwhile I thought it might be a good idea to went through svn log
> and I have found some more issues we might think about fixing
> (basically I went through the log and have checked all crashes,
> segfaults and leaks). The fixes below are small, self-contained and I
> have hand checked them all for sanity. There's even one CVE in
> openbasedir which we have not catched before.

open_basedir violations are not treated as security issues, see
README.Debian.security.

Cheers,
        Moritz

Message #27 received at 603751@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Ondřej Surý <ondrej@debian.org>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 603751@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: [php-maint] Bug#603751: Three more security issues

Date: Wed, 17 Nov 2010 20:32:58 +0000

On Wed, 2010-11-17 at 10:05 +0100, Ondřej Surý wrote:
> thanks for heads up. I have cherry-picked fixes and they are in php
> git. Do you need any help with backporting those to lenny? Anyway I am
> going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
> that I am going to upload 5.3.3-4.
> 
> Meanwhile I thought it might be a good idea to went through svn log
[...]
> The fixes below are small, self-contained and I
> have hand checked them all for sanity. There's even one CVE in
> openbasedir which we have not catched before.

I don't mind fixing the issues you mentioned if you think they're
important enough at this stage.  However, I'd prefer that an upload
including such fixes did not have high urgency, so it may depend how
urgent getting the security fixes in to Squeeze is.

Regards,

Adam

Message #32 received at 603751@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 603751@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: [php-maint] Bug#603751: Three more security issues

Date: Wed, 17 Nov 2010 22:36:21 +0100

On Wed, Nov 17, 2010 at 21:32, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> On Wed, 2010-11-17 at 10:05 +0100, Ondřej Surý wrote:
>> thanks for heads up. I have cherry-picked fixes and they are in php
>> git. Do you need any help with backporting those to lenny? Anyway I am
>> going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
>> that I am going to upload 5.3.3-4.
>>
>> Meanwhile I thought it might be a good idea to went through svn log
> [...]
>> The fixes below are small, self-contained and I
>> have hand checked them all for sanity. There's even one CVE in
>> openbasedir which we have not catched before.
>
> I don't mind fixing the issues you mentioned if you think they're
> important enough at this stage.  However, I'd prefer that an upload
> including such fixes did not have high urgency, so it may depend how
> urgent getting the security fixes in to Squeeze is.

That's fair since we are waiting for 5.3.3-3 to be in squeeze anyway
and I think that those three CVEs are not that urgent. Moritz could
you correct me if I am wrong? So I am going to upload 5.3.3-4 (it's
already built) with those changes I mentioned when 5.3.3-3 has
migrated to testing.

Ondrej
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #37 received at 603751@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 603751@bugs.debian.org

Subject: Re: [php-maint] Bug#603751: Three more security issues

Date: Wed, 17 Nov 2010 22:38:09 +0100

On Wed, Nov 17, 2010 at 21:06, Moritz Muehlenhoff <jmm@inutil.org> wrote:
> On Wed, Nov 17, 2010 at 10:05:35AM +0100, Ondřej Surý wrote:
>> Hi Moritz, Adam,
>>
>> thanks for heads up. I have cherry-picked fixes and they are in php
>> git. Do you need any help with backporting those to lenny?
>
> Raphael usually takes care of php5 for Lenny. IIRC there're a
> lenny-branch in php-pkg svn, so you could already commit them.

Since Raphael's last message was that he's going to be offline, it's
probably up to me :-/. I'll see what I can do.

>> Meanwhile I thought it might be a good idea to went through svn log
>> and I have found some more issues we might think about fixing
>> (basically I went through the log and have checked all crashes,
>> segfaults and leaks). The fixes below are small, self-contained and I
>> have hand checked them all for sanity. There's even one CVE in
>> openbasedir which we have not catched before.
>
> open_basedir violations are not treated as security issues, see
> README.Debian.security.

I know and I wasn't suggesting to prepare security release in lenny.
Sorry for not being clear. Anyway I think it's worth fixing for
squeeze.

O.
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #42 received at 603751@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Ondřej Surý <ondrej@debian.org>

Cc: "Adam D. Barratt" <adam@adam-barratt.org.uk>, Moritz Muehlenhoff <jmm@debian.org>, 603751@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: [php-maint] Bug#603751: Three more security issues

Date: Wed, 17 Nov 2010 23:30:58 +0100

On Wed, Nov 17, 2010 at 10:36:21PM +0100, Ondřej Surý wrote:
> On Wed, Nov 17, 2010 at 21:32, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
> > On Wed, 2010-11-17 at 10:05 +0100, Ondřej Surý wrote:
> >> thanks for heads up. I have cherry-picked fixes and they are in php
> >> git. Do you need any help with backporting those to lenny? Anyway I am
> >> going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
> >> that I am going to upload 5.3.3-4.
> >>
> >> Meanwhile I thought it might be a good idea to went through svn log
> > [...]
> >> The fixes below are small, self-contained and I
> >> have hand checked them all for sanity. There's even one CVE in
> >> openbasedir which we have not catched before.
> >
> > I don't mind fixing the issues you mentioned if you think they're
> > important enough at this stage.  However, I'd prefer that an upload
> > including such fixes did not have high urgency, so it may depend how
> > urgent getting the security fixes in to Squeeze is.
> 
> That's fair since we are waiting for 5.3.3-3 to be in squeeze anyway
> and I think that those three CVEs are not that urgent. Moritz could
> you correct me if I am wrong? So I am going to upload 5.3.3-4 (it's
> already built) with those changes I mentioned when 5.3.3-3 has
> migrated to testing.

Ack.

Cheers,
        Moritz

Message #47 received at 603751-close@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 603751-close@bugs.debian.org

Subject: Bug#603751: fixed in php5 5.3.3-4

Date: Thu, 18 Nov 2010 18:03:27 +0000

Source: php5
Source-Version: 5.3.3-4

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache2-mod-php5_5.3.3-4_amd64.deb
  to main/p/php5/libapache2-mod-php5_5.3.3-4_amd64.deb
libapache2-mod-php5filter_5.3.3-4_amd64.deb
  to main/p/php5/libapache2-mod-php5filter_5.3.3-4_amd64.deb
php-pear_5.3.3-4_all.deb
  to main/p/php5/php-pear_5.3.3-4_all.deb
php5-cgi_5.3.3-4_amd64.deb
  to main/p/php5/php5-cgi_5.3.3-4_amd64.deb
php5-cli_5.3.3-4_amd64.deb
  to main/p/php5/php5-cli_5.3.3-4_amd64.deb
php5-common_5.3.3-4_amd64.deb
  to main/p/php5/php5-common_5.3.3-4_amd64.deb
php5-curl_5.3.3-4_amd64.deb
  to main/p/php5/php5-curl_5.3.3-4_amd64.deb
php5-dbg_5.3.3-4_amd64.deb
  to main/p/php5/php5-dbg_5.3.3-4_amd64.deb
php5-dev_5.3.3-4_amd64.deb
  to main/p/php5/php5-dev_5.3.3-4_amd64.deb
php5-enchant_5.3.3-4_amd64.deb
  to main/p/php5/php5-enchant_5.3.3-4_amd64.deb
php5-gd_5.3.3-4_amd64.deb
  to main/p/php5/php5-gd_5.3.3-4_amd64.deb
php5-gmp_5.3.3-4_amd64.deb
  to main/p/php5/php5-gmp_5.3.3-4_amd64.deb
php5-imap_5.3.3-4_amd64.deb
  to main/p/php5/php5-imap_5.3.3-4_amd64.deb
php5-interbase_5.3.3-4_amd64.deb
  to main/p/php5/php5-interbase_5.3.3-4_amd64.deb
php5-intl_5.3.3-4_amd64.deb
  to main/p/php5/php5-intl_5.3.3-4_amd64.deb
php5-ldap_5.3.3-4_amd64.deb
  to main/p/php5/php5-ldap_5.3.3-4_amd64.deb
php5-mcrypt_5.3.3-4_amd64.deb
  to main/p/php5/php5-mcrypt_5.3.3-4_amd64.deb
php5-mysql_5.3.3-4_amd64.deb
  to main/p/php5/php5-mysql_5.3.3-4_amd64.deb
php5-odbc_5.3.3-4_amd64.deb
  to main/p/php5/php5-odbc_5.3.3-4_amd64.deb
php5-pgsql_5.3.3-4_amd64.deb
  to main/p/php5/php5-pgsql_5.3.3-4_amd64.deb
php5-pspell_5.3.3-4_amd64.deb
  to main/p/php5/php5-pspell_5.3.3-4_amd64.deb
php5-recode_5.3.3-4_amd64.deb
  to main/p/php5/php5-recode_5.3.3-4_amd64.deb
php5-snmp_5.3.3-4_amd64.deb
  to main/p/php5/php5-snmp_5.3.3-4_amd64.deb
php5-sqlite_5.3.3-4_amd64.deb
  to main/p/php5/php5-sqlite_5.3.3-4_amd64.deb
php5-sybase_5.3.3-4_amd64.deb
  to main/p/php5/php5-sybase_5.3.3-4_amd64.deb
php5-tidy_5.3.3-4_amd64.deb
  to main/p/php5/php5-tidy_5.3.3-4_amd64.deb
php5-xmlrpc_5.3.3-4_amd64.deb
  to main/p/php5/php5-xmlrpc_5.3.3-4_amd64.deb
php5-xsl_5.3.3-4_amd64.deb
  to main/p/php5/php5-xsl_5.3.3-4_amd64.deb
php5_5.3.3-4.diff.gz
  to main/p/php5/php5_5.3.3-4.diff.gz
php5_5.3.3-4.dsc
  to main/p/php5/php5_5.3.3-4.dsc
php5_5.3.3-4_all.deb
  to main/p/php5/php5_5.3.3-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 603751@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 17 Nov 2010 10:31:58 +0100
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.3.3-4
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-enchant - Enchant module for php5
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-intl  - internationalisation module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 603751
Changes: 
 php5 (5.3.3-4) unstable; urgency=low
 .
   * Cherry pick patches for (Closes: #603751):
     + NULL pointer dereference in ZipArchive::getArchiveComment
       (CVE-2010-3709)
     + utf8_decode xml_utf8_decode vulnerability (CVE-2010-3870)
     + mb_strcut() returns garbage with the excessive length parameter
     (CVE-2010-4156)
     + possible flaw in open_basedir (CVE-2010-3436)
     + segfault in SplFileObject::fscanf
     + memory leak in PDO::FETCH_INTO
     + crash when storing many SPLFixedArray in an array
     + possible crash in php_mssql_get_column_content_without_type()
     + cURL leaks handle and causes assertion error (CURLOPT_STDERR)
     + segfault when optional parameters are not passed in to mssql_connect
     + segfault when ssl stream option capture_peer_cert_chain used
     + crash in GC because of incorrect reference counting
     + crash when calling enchant_broker_get_dict_path before set_path
     + crash in pdo_firebird getAttribute()
Checksums-Sha1: 
 457eac7da1dc90a192714cc34088a49b8406a729 2752 php5_5.3.3-4.dsc
 893541250ffe73fdeb8a73f5f9f83c2c06be51a4 194053 php5_5.3.3-4.diff.gz
 03a44542b01d864bda551899b0602fd51d2599a7 544928 php5-common_5.3.3-4_amd64.deb
 5eb399bff32d6c3b0f34c8150f2c3cad62e853fc 3035544 libapache2-mod-php5_5.3.3-4_amd64.deb
 09cdabd6a8a0c01cbe88e5fdaf2a9170d9208b42 3034724 libapache2-mod-php5filter_5.3.3-4_amd64.deb
 d548a9a98f239ecfcecfa9f96d389563be6fe58f 5882584 php5-cgi_5.3.3-4_amd64.deb
 2aca3201a09d8059977e9a6cd5b941a2c5aa7390 2940774 php5-cli_5.3.3-4_amd64.deb
 c7a2af45841c64a983087ed02fb3a7b005153f4e 408872 php5-dev_5.3.3-4_amd64.deb
 6506f3e4d3d43b4839eeb59d3759fae8c6be3ab4 10291630 php5-dbg_5.3.3-4_amd64.deb
 0e45236c0025283219c5a10f7f54c950dbc4fa49 27024 php5-curl_5.3.3-4_amd64.deb
 29d38de2c5474ca35a83f78e033811ed23b0f891 8956 php5-enchant_5.3.3-4_amd64.deb
 bb1c2bdc089502e1d53aad082a58d2dbb420ad35 38934 php5-gd_5.3.3-4_amd64.deb
 d3a5adf86fba45f0fe8a767b2405c9dacfa0e145 16410 php5-gmp_5.3.3-4_amd64.deb
 43d83abcaa7b261a790b64796de7559abaa40928 34994 php5-imap_5.3.3-4_amd64.deb
 19c3d3c2bcd3517ce8fd2e9feae860ab7a16d286 49366 php5-interbase_5.3.3-4_amd64.deb
 b3d20a20d3a53e45031bac30cb0dd995e5ce7267 59352 php5-intl_5.3.3-4_amd64.deb
 a042c4adc478eac3ecfff2ba4b2eb310a295df9a 19790 php5-ldap_5.3.3-4_amd64.deb
 687769d00848587f565ef5ba6c13d506da4abb22 15178 php5-mcrypt_5.3.3-4_amd64.deb
 d6e9208ae9de91d4ff9e769b6087ed026fd13ea3 76502 php5-mysql_5.3.3-4_amd64.deb
 3f0448380967daf3825e3057821299ad4b6abaf8 35816 php5-odbc_5.3.3-4_amd64.deb
 3e3857131826aae7d6feb81e1ed9e9087371a04e 60354 php5-pgsql_5.3.3-4_amd64.deb
 7ccd3fd3576cb47a8e44bf27cd9accb048a72afe 8104 php5-pspell_5.3.3-4_amd64.deb
 330867e8055efef36b53a1f151b6924cc6786c28 4316 php5-recode_5.3.3-4_amd64.deb
 497334cc30fb9ff937783954c97a9b19cc92011e 11300 php5-snmp_5.3.3-4_amd64.deb
 00acb00e33fdd217c10cd6228feb8c11747e47f9 56080 php5-sqlite_5.3.3-4_amd64.deb
 97062fbb38356274a975bb66ba7a97c96487859d 26706 php5-sybase_5.3.3-4_amd64.deb
 2b3d6c961ca432004f6407d456749026b04fa8d9 18220 php5-tidy_5.3.3-4_amd64.deb
 c582d733ac2ccd8c43af93694e00ab01f3bd3943 34738 php5-xmlrpc_5.3.3-4_amd64.deb
 6e7412aa6d568ea131659ba13c3efb9d9ba63b7e 13290 php5-xsl_5.3.3-4_amd64.deb
 fadbdb5f427b115c64a3ca794152b7355d4cc619 1050 php5_5.3.3-4_all.deb
 807f7276be2812a73a321e8fa2ba39180e3573b3 364592 php-pear_5.3.3-4_all.deb
Checksums-Sha256: 
 5ab20e2d43d9db8a0e94959366a0b7c4b46595026b5d0ad066da81576e80b2c2 2752 php5_5.3.3-4.dsc
 99db8a46e6e81a23f21fb3712c5369e7e1615a8a9ae3eff0e3e46f74492d00a6 194053 php5_5.3.3-4.diff.gz
 7afaeac24282ee5f512991065e5322e2cc5c95e940fecb1a433c7421a4fb693c 544928 php5-common_5.3.3-4_amd64.deb
 686c5c2debd03e7cb201f4a6730535f0a7712b37cc5c6ce6a66918b3b6d0b61b 3035544 libapache2-mod-php5_5.3.3-4_amd64.deb
 76948f7300d8a3886175b37f72a0a577332ed5aff383fb5096b5c917dd0a0b72 3034724 libapache2-mod-php5filter_5.3.3-4_amd64.deb
 71f84a1faafdcb1954c726972d6faa7f5a7fb5bf03e8acbe1516b7659e86dfc8 5882584 php5-cgi_5.3.3-4_amd64.deb
 d836b18603aef892273e622cb61b580eb81fbdccac7e98b2dc396c8d7f598d20 2940774 php5-cli_5.3.3-4_amd64.deb
 6bd58833b02b29cdf57de0a94e08eeaf07217c2c02c3263d8181b4f3167ea85a 408872 php5-dev_5.3.3-4_amd64.deb
 8a0ff33ed9df825a92652995b439134e4a5c956cc34c9fe470dfedd63a6e2a1e 10291630 php5-dbg_5.3.3-4_amd64.deb
 465d8e2df82ab81dc6e095969db1fb24d83e5bba6aa1fe03a73e46f138330416 27024 php5-curl_5.3.3-4_amd64.deb
 f36d198aa11b3f6ee58bb783420807b4e897125424cd8273f2f98f88c146a1b2 8956 php5-enchant_5.3.3-4_amd64.deb
 db2eeeb123a88e68ccbefc97a1ca630f2ebda3028e0d9439669dcda3f2b2e97b 38934 php5-gd_5.3.3-4_amd64.deb
 38bfe9eb7eda135476b92efc99762a6a24996c9ca5f2e1efaaabe0356b67e2ac 16410 php5-gmp_5.3.3-4_amd64.deb
 09a543bacaef4bf1e896f3f1e1b92e6abf4d92dccbf94830b2d34bd5f85e1e41 34994 php5-imap_5.3.3-4_amd64.deb
 5d610d872fb3d8034bfebee327a5c399ada3185d4e05c11389e8c5d2faa2335c 49366 php5-interbase_5.3.3-4_amd64.deb
 acc3fefb4f4907e5593ba9ff99bfbe2cbb79684ba2b1cc6f4ef63e9f3f189300 59352 php5-intl_5.3.3-4_amd64.deb
 75728aace6b7c168086446c68fa1e8fc953d471d500c63412e091ac1d250e62c 19790 php5-ldap_5.3.3-4_amd64.deb
 d92dce9c9436d30983bc6fb057494372505a20da71e55bee529ae3e038f9e4f9 15178 php5-mcrypt_5.3.3-4_amd64.deb
 fe4a722faba9a117894a9cbb10b9166620d746798a6636b399d19bc67d948eaa 76502 php5-mysql_5.3.3-4_amd64.deb
 da4fa97231472265e7d328d08fa8d4abc59041a3b0a993568da40a207c8f9268 35816 php5-odbc_5.3.3-4_amd64.deb
 661739034145d1b1dd055e739d563b00f6be6e3c5974ca2a3665149e2b2641db 60354 php5-pgsql_5.3.3-4_amd64.deb
 c888418c4aa8476a9e90298f75b254c00e3bcb885f89ae02b77f0d2ec5ee9a5e 8104 php5-pspell_5.3.3-4_amd64.deb
 ad86d42a2e60bf74552af28401cd43b2d5c1d5d6f14baf3d7a0157fea5e7dde8 4316 php5-recode_5.3.3-4_amd64.deb
 af9b216277353c61214c76b3de71aba71db3046c64fbe6528f90853eb5705d18 11300 php5-snmp_5.3.3-4_amd64.deb
 5f74789aba13ab4966d401368fe81e2cd1e4eba5a16c332f9a7490b88e24801e 56080 php5-sqlite_5.3.3-4_amd64.deb
 a365ef4031b5cacf503d7864044ae98770d16e49150dbc26a27f177d230e51bb 26706 php5-sybase_5.3.3-4_amd64.deb
 9eef047402d51b060b4d2323b12037ce9255539809aaad9b6c26720ab9fe4afb 18220 php5-tidy_5.3.3-4_amd64.deb
 d1c888f45e7e9790bbe2f8c96a59feeb32458bfe654621253b12d9b99001102e 34738 php5-xmlrpc_5.3.3-4_amd64.deb
 0376ea17587ac415b16aa5dc6adae696db5f56f9a5af6e74c5ad92e00937b935 13290 php5-xsl_5.3.3-4_amd64.deb
 874a8bdf5804a413b2a46f13f6e8cb0acc0d825a4ba68ae44f8db10a53e3a66c 1050 php5_5.3.3-4_all.deb
 1f14ad6ce7bbe4edb4745390a98da7fe1ffe0f0b1df3e23d6f3ea86775c4f5f0 364592 php-pear_5.3.3-4_all.deb
Files: 
 798eae125f4ec383468ebeb0aafd71b9 2752 php optional php5_5.3.3-4.dsc
 54e04303b24adbd490066d6ba098bff5 194053 php optional php5_5.3.3-4.diff.gz
 0cc85b25bf6d6b8b7ae2fcbf1401c5f6 544928 php optional php5-common_5.3.3-4_amd64.deb
 98e0354e5aee0e5d5a26487a06342877 3035544 httpd optional libapache2-mod-php5_5.3.3-4_amd64.deb
 de2acc53e8abe285059edea05c26f5b9 3034724 httpd optional libapache2-mod-php5filter_5.3.3-4_amd64.deb
 904e6764ceacc2487d418a7ae558e187 5882584 php optional php5-cgi_5.3.3-4_amd64.deb
 981a7d99b91dfe31a72013ae0f689e86 2940774 php optional php5-cli_5.3.3-4_amd64.deb
 b56a6e0cb614fd39678a46ce2b2a7124 408872 php optional php5-dev_5.3.3-4_amd64.deb
 029f047fc3f6a2e9ca7e64be3ddbe978 10291630 debug extra php5-dbg_5.3.3-4_amd64.deb
 a8783be3a1daa437ed8f5e9fbb988091 27024 php optional php5-curl_5.3.3-4_amd64.deb
 2b34fe776e9646277436939b56019614 8956 php optional php5-enchant_5.3.3-4_amd64.deb
 321300871d9d807abb2afed4c025e9c5 38934 php optional php5-gd_5.3.3-4_amd64.deb
 afa7edc2eb82374f260a5a8d4996a554 16410 php optional php5-gmp_5.3.3-4_amd64.deb
 787249e6cb7ca98be0e8a8ee44fcd1a5 34994 php optional php5-imap_5.3.3-4_amd64.deb
 3fe35cb401237f344305899e7404a653 49366 php optional php5-interbase_5.3.3-4_amd64.deb
 2815c2d2c426d88d8230bee01f0d8f88 59352 php optional php5-intl_5.3.3-4_amd64.deb
 117ff0b0f64106eb987a2bae36be4634 19790 php optional php5-ldap_5.3.3-4_amd64.deb
 fffd1fe0615379b5a3beec6c34805c70 15178 php optional php5-mcrypt_5.3.3-4_amd64.deb
 3e345b80538902f173ceadabc8d10695 76502 php optional php5-mysql_5.3.3-4_amd64.deb
 cead47b1cddcc5830284bfe1dd360f47 35816 php optional php5-odbc_5.3.3-4_amd64.deb
 afff3586f430d139bb57bca5cc5e7d09 60354 php optional php5-pgsql_5.3.3-4_amd64.deb
 d1f04cff3788ca69099d85cd9fb5a949 8104 php optional php5-pspell_5.3.3-4_amd64.deb
 59b71b699a7ab8b48c6a9fd6494b426d 4316 php optional php5-recode_5.3.3-4_amd64.deb
 f91850846f0622b80fa44a7d2e3bf91e 11300 php optional php5-snmp_5.3.3-4_amd64.deb
 b9c09a14718a3a9ae1a2696e5cc18005 56080 php optional php5-sqlite_5.3.3-4_amd64.deb
 e6d1653209644e05b5803efc449c68e2 26706 php optional php5-sybase_5.3.3-4_amd64.deb
 63ac91b2390c846663fb667e59f74431 18220 php optional php5-tidy_5.3.3-4_amd64.deb
 9ccaca7d74c7ff7f072f421246ebf425 34738 php optional php5-xmlrpc_5.3.3-4_amd64.deb
 14a3371c92ae9323c4179c51a7b14a17 13290 php optional php5-xsl_5.3.3-4_amd64.deb
 cbedd95ed5b868ba1ffd10747abc0ee3 1050 php optional php5_5.3.3-4_all.deb
 08abd135ed8296ac23e21c0b30e0e5c4 364592 php optional php-pear_5.3.3-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkzlZUwACgkQ9OZqfMIN8nOdQQCcCrpTbX7X8STDjzL1FzdWJ2jN
/m8AoJJ0oOf2XA8zhuLRNsk7iDlRp5ZI
=zhiQ
-----END PGP SIGNATURE-----

Message #52 received at 603751@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 603751@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: [php-maint] Bug#603751: Three more security issues

Date: Fri, 19 Nov 2010 07:54:57 +0100

Adam,

I have uploaded 5.3.3-4 with urgency=low. Please unblock when you are
comfortable.

Thank you,
Ondrej

On Wed, Nov 17, 2010 at 22:36, Ondřej Surý <ondrej@debian.org> wrote:
> On Wed, Nov 17, 2010 at 21:32, Adam D. Barratt <adam@adam-barratt.org.uk> wrote:
>> On Wed, 2010-11-17 at 10:05 +0100, Ondřej Surý wrote:
>>> thanks for heads up. I have cherry-picked fixes and they are in php
>>> git. Do you need any help with backporting those to lenny? Anyway I am
>>> going to wait for 5.3.3-3 to squeeze into the squeeze :) and after
>>> that I am going to upload 5.3.3-4.
>>>
>>> Meanwhile I thought it might be a good idea to went through svn log
>> [...]
>>> The fixes below are small, self-contained and I
>>> have hand checked them all for sanity. There's even one CVE in
>>> openbasedir which we have not catched before.
>>
>> I don't mind fixing the issues you mentioned if you think they're
>> important enough at this stage.  However, I'd prefer that an upload
>> including such fixes did not have high urgency, so it may depend how
>> urgent getting the security fixes in to Squeeze is.
>
> That's fair since we are waiting for 5.3.3-3 to be in squeeze anyway
> and I think that those three CVEs are not that urgent. Moritz could
> you correct me if I am wrong? So I am going to upload 5.3.3-4 (it's
> already built) with those changes I mentioned when 5.3.3-3 has
> migrated to testing.
>
> Ondrej
> --
> Ondřej Surý <ondrej@sury.org>
> http://blog.rfc1925.org/
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Message #57 received at 603751@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Ondřej Surý <ondrej@debian.org>

Cc: Moritz Muehlenhoff <jmm@debian.org>, 603751@bugs.debian.org, debian-release@lists.debian.org

Subject: Re: [php-maint] Bug#603751: Three more security issues

Date: Sun, 21 Nov 2010 16:26:17 +0000

On Fri, 2010-11-19 at 07:54 +0100, Ondřej Surý wrote:
> I have uploaded 5.3.3-4 with urgency=low. Please unblock when you are
> comfortable.

Unblocked; thanks.

Regards,

Adam

Message #62 received at 603751@bugs.debian.org (full text, mbox, reply):

From: Ralf Becker <rb@stylite.de>

To: 603751@bugs.debian.org

Subject: reports php5-5.3.3-4 fixes segfaults rendering all previous php5-5.3.3 versions unsuable

Date: Fri, 26 Nov 2010 08:09:23 +0100

Hi,

there are reports on EGroupware lists, that php5-5.3.3-4 is the first 
PHP 5.3.3 version, usable with EGroupware.

All previous version segfaulted in many areas. Reported by docents of 
Debian (and Ubuntu) users on all our lists.

Maybe that helps deciding about the urgency to include 5.3.3-4 into 
Debian 6.

Ralf
-- 
Ralf Becker
Director Software Development

Stylite GmbH
[open style of IT]

Morschheimer Strasse 15
67292 Kirchheimbolanden

fon  +49 (0) 6352 70629-0
fax  +49 (0) 6352 70629-30
mailto: rb@stylite.de

www.stylite.de
www.egroupware.org
________________________________________________

Geschäftsführer Andre Keller,
	Gudrun Müller, Ralf Becker
Registergericht Kaiserslautern HRB 30575
Umsatzsteuer-Id / VAT-Id: DE214280951

Message #67 received at 603751-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: 603751-done@bugs.debian.org

Subject: Re: [php-maint] Bug#603751: reports php5-5.3.3-4 fixes segfaults rendering all previous php5-5.3.3 versions unsuable

Date: Tue, 30 Nov 2010 15:22:34 +0100

Version: 5.3.3-4

Thanks for the report. Closing the bug.

Ondrej

On Fri, Nov 26, 2010 at 08:09, Ralf Becker <rb@stylite.de> wrote:
> Hi,
>
> there are reports on EGroupware lists, that php5-5.3.3-4 is the first PHP
> 5.3.3 version, usable with EGroupware.
>
> All previous version segfaulted in many areas. Reported by docents of Debian
> (and Ubuntu) users on all our lists.
>
> Maybe that helps deciding about the urgency to include 5.3.3-4 into Debian
> 6.
>
> Ralf
> --
> Ralf Becker
> Director Software Development
>
> Stylite GmbH
> [open style of IT]
>
> Morschheimer Strasse 15
> 67292 Kirchheimbolanden
>
> fon  +49 (0) 6352 70629-0
> fax  +49 (0) 6352 70629-30
> mailto: rb@stylite.de
>
> www.stylite.de
> www.egroupware.org
> ________________________________________________
>
> Geschäftsführer Andre Keller,
>        Gudrun Müller, Ralf Becker
> Registergericht Kaiserslautern HRB 30575
> Umsatzsteuer-Id / VAT-Id: DE214280951
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
>



-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Send a report that this bug log contains spam.