CVE-2009-0754: mbstring.func_overload setting leakage across vhosts

Debian Bug report logs - #523049
CVE-2009-0754: mbstring.func_overload setting leakage across vhosts

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

To: submit@bugs.debian.org

Subject: php5: multiple vulnerabilities

Date: Tue, 7 Apr 2009 19:00:41 -0400

Package: php5
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for php5.

CVE-2008-5814[0]:
| Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
| earlier, when display_errors is enabled, allows remote attackers to
| inject arbitrary web script or HTML via unspecified vectors.  NOTE:
| because of the lack of details, it is unclear whether this is related
| to CVE-2006-0208.

CVE-2009-0754[1]:
| PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows
| local users to modify behavior of other sites hosted on the same web
| server by modifying the mbstring.func_overload setting within
| .htaccess, which causes this setting to be applied to other virtual
| hosts on the same server.

Please coordinate with the security team to prepare updated packages
for the stable releases.

There is more info in the redhat security alert [2].

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814
    http://security-tracker.debian.net/tracker/CVE-2008-5814
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754
    http://security-tracker.debian.net/tracker/CVE-2009-0754
[2] http://lwn.net/Articles/327524/

Message #10 received at 523028@bugs.debian.org (full text, mbox, reply):

From: sean finney <seanius@debian.org>

To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 523028@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: [php-maint] Bug#523028: php5: multiple vulnerabilities

Date: Wed, 8 Apr 2009 08:21:11 +0200

[Message part 1 (text/plain, inline)]

severity 523028 important
clone 523028 -1
retitle 523028 CVE-2008-5814: XSS vulnerability in PHP <= 5.2.7
retitle -1 CVE-2009-0754: mbstring.func_overload setting leakage across vhosts

hi michael,

in the future please file seperate bugs for seperate vulnerabilities.

i would say neither of these are critical vulnerabilities (though
both should be fixed), so i'm adjusting the severities down to important.

with regards to CVE-2008-5814: i believe we've previously tried to get
information from JVS about the specifics and haven't, so there isn't much
we can do and on principle i'm against tagging bogeyman bugs as grave :)

with regards to CVE-2008-5814, the scope is fairly limited and there's no
code execution/data deletion directly through this (it's just leakage of
mbstring function overloading across vhosts)


thanks,
	sean

On Tue, Apr 07, 2009 at 07:00:41PM -0400, Michael S. Gilbert wrote:
> Package: php5
> Severity: grave
> Tags: security
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) ids were
> published for php5.
> 
> CVE-2008-5814[0]:
> | Cross-site scripting (XSS) vulnerability in PHP, possibly 5.2.7 and
> | earlier, when display_errors is enabled, allows remote attackers to
> | inject arbitrary web script or HTML via unspecified vectors.  NOTE:
> | because of the lack of details, it is unclear whether this is related
> | to CVE-2006-0208.
> 
> CVE-2009-0754[1]:
> | PHP 4.4.4, 5.1.6, and other versions, when running on Apache, allows
> | local users to modify behavior of other sites hosted on the same web
> | server by modifying the mbstring.func_overload setting within
> | .htaccess, which causes this setting to be applied to other virtual
> | hosts on the same server.
> 
> Please coordinate with the security team to prepare updated packages
> for the stable releases.
> 
> There is more info in the redhat security alert [2].
> 
> If you fix the vulnerabilities please also make sure to include the
> CVE ids in your changelog entry.
> 
> For further information see:
> 
> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5814
>     http://security-tracker.debian.net/tracker/CVE-2008-5814
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0754
>     http://security-tracker.debian.net/tracker/CVE-2009-0754
> [2] http://lwn.net/Articles/327524/
> 
> 
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint
> 

-- 

[signature.asc (application/pgp-signature, inline)]

Message #21 received at 523049-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <atomo64@gmail.com>

To: control@bugs.debian.org

Cc: 523049-done@bugs.debian.org

Subject: fixed 523049 in 5.2.9.dfsg.1-1

Date: Tue, 21 Apr 2009 13:51:33 -0500

Version: 5.2.9.dfsg.1-1

As a matter of fact, the fix was shipped in 5.2.9
Old/stable are vulnerable, though.

Cheers,
Raphael Geissert

Message #26 received at 523049@bugs.debian.org (full text, mbox, reply):

From: Sean Finney <seanius@debian.org>

To: 523049@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [/debian-lenny] CVE-2009-0754.patch: mbstring.func_overload leakage between apache2 vhosts

Date: Sun, 26 Apr 2009 19:32:09 +0000

tag 523049 pending
thanks

Date: Sun Apr 26 21:06:28 2009 +0200
Author: Sean Finney <seanius@debian.org>
Commit ID: 2d73f5fcd24b0a2692beed4784ffc5e530bbe4ea
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=2d73f5fcd24b0a2692beed4784ffc5e530bbe4ea
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=2d73f5fcd24b0a2692beed4784ffc5e530bbe4ea

    CVE-2009-0754.patch: mbstring.func_overload leakage between apache2 vhosts

    Closes: #523049
      

Message #33 received at 523049@bugs.debian.org (full text, mbox, reply):

From: Sean Finney <seanius@debian.org>

To: 523049@bugs.debian.org

Cc: ,control@bugs.debian.org

Subject: [debian/debian-etch] CVE-2009-0754.patch: mbstring.func_overload leakage between apache2 vhosts

Date: Tue, 28 Apr 2009 12:15:45 +0000

tag 523049 pending
thanks

Date: Tue Apr 28 08:33:13 2009 +0200
Author: Sean Finney <seanius@debian.org>
Commit ID: 9917a8cb96dfa99d5af30cf4b1670edc81c669bd
Commit URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff;h=9917a8cb96dfa99d5af30cf4b1670edc81c669bd
Patch URL: http://git.debian.org/?p=pkg-php/php.git;a=commitdiff_plain;h=9917a8cb96dfa99d5af30cf4b1670edc81c669bd

    CVE-2009-0754.patch: mbstring.func_overload leakage between apache2 vhosts

    (cherry-picked from 2d73f5fcd24b0a2692beed4784ffc5e530bbe4ea)

    Closes: #523049

    Conflicts:

    	debian/patches/series
      

Message #40 received at 523049-close@bugs.debian.org (full text, mbox, reply):

From: Sean Finney <seanius@debian.org>

To: 523049-close@bugs.debian.org

Subject: Bug#523049: fixed in php5 5.2.6.dfsg.1-1+lenny3

Date: Mon, 08 Jun 2009 22:19:22 +0000

Source: php5
Source-Version: 5.2.6.dfsg.1-1+lenny3

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
php-pear_5.2.6.dfsg.1-1+lenny3_all.deb
  to pool/main/p/php5/php-pear_5.2.6.dfsg.1-1+lenny3_all.deb
php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5_5.2.6.dfsg.1-1+lenny3.diff.gz
  to pool/main/p/php5/php5_5.2.6.dfsg.1-1+lenny3.diff.gz
php5_5.2.6.dfsg.1-1+lenny3.dsc
  to pool/main/p/php5/php5_5.2.6.dfsg.1-1+lenny3.dsc
php5_5.2.6.dfsg.1-1+lenny3_all.deb
  to pool/main/p/php5/php5_5.2.6.dfsg.1-1+lenny3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 523049@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Apr 2009 21:37:57 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-dev php5-dbg php-pear php5-curl php5-gd php5-gmp php5-imap php5-interbase php5-ldap php5-mcrypt php5-mhash php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.2.6.dfsg.1-1+lenny3
Distribution: stable-security
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 523028 523049
Changes: 
 php5 (5.2.6.dfsg.1-1+lenny3) stable-security; urgency=low
 .
   [ Sean Finney ]
   * CVE-2008-5814: XSS vulnerability via display_errors (Closes: #523028)
   * CVE-2009-0754.patch: mbstring.func_overload leakage between apache2
     vhosts (Closes: #523049)
   * CVE-2009-1271: remote DoS in json_decode()
   * add note about CVE-2009-1272 in previous version's changelog entry
 .
   [ Mark A. Hershberger ]
   * fix clean target to keep source in a consistant state for multiple builds
Checksums-Sha1: 
 46ea5501bfb50c6c559ecb12f4aa472e23e044e3 2520 php5_5.2.6.dfsg.1-1+lenny3.dsc
 eb4062afb5ac20f6a889ab9f40f2f9ada0755ba3 160126 php5_5.2.6.dfsg.1-1+lenny3.diff.gz
 cb7e7ff1058a8ecb9a368aeb3550b0b9eae16563 367858 php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
 baf2af4a6b1fc0ff72f6e822460bc1d14359c763 2615884 libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
 163755875422cc3f6c869785b753546d028351fe 2614610 libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
 5dac41a220b34868872c402e8309a397d880a072 5083216 php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b1f1c9ca5e0ff246fdc9e5568dde3a329524e699 2563068 php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b9da5636a59bedecca03daa578798544c9232187 366086 php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ea977f8ead9a363c429180406575cade01f30a10 8300332 php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
 e1507dc4c138ccad7e215e0a8831abd392d6dd1e 25260 php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ceef6ffaa88874d9016dae3af82d99378c258223 37046 php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
 7bb1d6aa9e447c48b647216c4f9c2660b55e5e65 16524 php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 c3d3b908aacd6826383af37330148448a817e6da 38098 php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 11133d964ec463500530cc0030b9ab640d101ea2 48452 php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 748e24274936895ea3aea1014070ee54ebf253bb 20160 php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9e2408a4771a21a39acd1afa6530ab76d2dedaf1 14190 php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
 dec3f4bfc7d3d52eb74897ce0bea639f37134c05 5428 php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
 910a97cf9d1179245c6c456cf98b2942c5d188fb 73714 php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 de21b305c763d9c11b245c974909d9528c4ea9dd 37864 php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 0eb843aded3166316eaea9748e6964cbd0c20f7a 56882 php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 5f6cb167a9c6c147c185817d641d5fbd4680cd67 9474 php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ccde762e1d234dfe6449141fff2712dbe95e3da1 5100 php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
 0a6c3fabe2a7cf2004937f51d623da192bc11f06 12350 php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9480484c155c2af691e1a428d7e03d18653e155e 39780 php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9138f781285f76cf4a88b4d4ae4dac2a2918d31e 28064 php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 662d14ed5bcd7de068c847ad791f4108103c520f 18134 php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
 5c32cb28776f02cca21cf193089e1298c9589c62 40912 php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 861a3b22ca5a27bc3855bf24e40d3e66e4837c53 13940 php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ee2200be83937df8034f7f56f0c1e8b01e0c8602 1078 php5_5.2.6.dfsg.1-1+lenny3_all.deb
 8d263f35a953b0e70f5e096956c3bbd86de2d64e 334564 php-pear_5.2.6.dfsg.1-1+lenny3_all.deb
Checksums-Sha256: 
 5cac7af83b5e1bf8359166034cda2f3707e4586f8c1603480daff9eaf21e1c9f 2520 php5_5.2.6.dfsg.1-1+lenny3.dsc
 7fc99e2409ce75bac42445dc5c4474e471ae2ac8847e8f60db4f7ba52a718653 160126 php5_5.2.6.dfsg.1-1+lenny3.diff.gz
 028c041b2ffc34aeadeba69d0216651f8f468a04b480cdeb7733cd0ae7d49550 367858 php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ed0952843bd4e683676144b7732b2e28981395c191f5ee2e2ab10813c2e4431f 2615884 libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
 25d2697b061db23496570be2a1bd3f30b0af3bf765ac2ed4b77f8ece1664f28d 2614610 libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
 7248aaedeaf260d6ffd498dce219c6e4f6cf3b274a3ff95191812e001b73aeb2 5083216 php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
 253d6909a0f73b3460eaa04b0e7f5f348c646a903fec68ad28f8af724e0953cf 2563068 php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b187b7a31d2df247ca9ca78185bb446ffa5b8221a511f093e84674c94e4ffd7f 366086 php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
 a5e27c3b7a65a9394f63dcb99f313346f302b43afbf6ab85268dc9305718c494 8300332 php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
 a8ef06a61d481b44f2414c096cfa52a372244b8b9d496e0f48e40479d1fab320 25260 php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 845cac22914b01ad3741ec90dc9a4d3ce28859c7752db4c813723a30c22c4a11 37046 php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
 51f2b058ccda048efa0a6edafe42dcae8f99364a742125586babbb10ac8d42ba 16524 php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 174731bd32db85aebae0142e0cd5facff477eada9d69e8f640b22f554a8267be 38098 php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 cbe15681ca140c2fa48323b8924f687e06eb86bd89b6063c7013f981e8159387 48452 php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 fd7f66d2a781f292459cb24f3c7731c0bcaf75add1544872400fed3a7c446b95 20160 php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 f8f57c8a96f55bc2153d4cb5856b8e5348c08d665afc75c62fb2004dea927960 14190 php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b80b5e50ba15bc5054ecb70adbc28ef9e8f9e375599f68c33350730573db35fd 5428 php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
 cd8fd64dbc7cba130105fbbeb1eef15ac2d06c8b611b86f29efe6314f352c375 73714 php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 866d761b899abaaa8a7d41042681fa57591bb53ee78a1a68ea1ae990a918cf33 37864 php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b0b6eec449fcebac997d69b130b1b8d56da90b3697b9395fb000f77b3c609cb7 56882 php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9879df5f734da02e7dc4177ded6c058727df623315013389eff43b8012ff26dc 9474 php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
 cce1c4975bf845f572589f0aaa84d6b9a695e10f20a0287920a9817fd4d30235 5100 php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
 10c8914af92ee38d2bec164b20b94fe2e496cac53a663e65ef95d147af65c1ad 12350 php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 599f5fb5a1c7ffa8fa5bd752e5fc3efb1af98e73ee86fc6614563f5e97106541 39780 php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
 49c0571fe864363f3cbb62e0a15829adc034d3752acaa69d6aedf9d9e135a088 28064 php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 7a4604edeba69c283e8d8bbabe31b36532ee14f053db73ce8ae18005aa62b87b 18134 php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
 3ce8ebc1bf95e579fb25985ad9bd43470ec30a7835c8cd904927ead45250fd2e 40912 php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 94b5f976e27f6eabd4ef50e3ff4c83ca017af0c88219696f25321493e7ea462a 13940 php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 02ba35f8fec62cb312ab6cd92db106ec96783a5471855aac8c3c612f2bcb63ba 1078 php5_5.2.6.dfsg.1-1+lenny3_all.deb
 bd0dc35bfdcea7f252fea854771824b6b84acd0601807f632046cb99519beb53 334564 php-pear_5.2.6.dfsg.1-1+lenny3_all.deb
Files: 
 e865d9ad2851dcf9f83d71c148423c84 2520 web optional php5_5.2.6.dfsg.1-1+lenny3.dsc
 9a0f8b8a480b0d95ddecd7f82593e108 160126 web optional php5_5.2.6.dfsg.1-1+lenny3.diff.gz
 5b8e49b3b892569219baf60a896dde95 367858 web optional php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
 834747cef1119734261264d24094c5a2 2615884 web optional libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b309b2993a0aba0f495c57aaa909a274 2614610 web optional libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
 428f888c54d8a5ebf783b6345d629a3f 5083216 web optional php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
 80d0fc43130775d658af3f87ecea644f 2563068 web optional php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
 bdb6555ef6bfba1d4d3a4466d5727325 366086 devel optional php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b282cbf7b62b897417eac1d3be14ef87 8300332 devel extra php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ff405813e6b71d4b90611eec50e96a8f 25260 web optional php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 baf59ec2824c389395a04a29d6dc8909 37046 web optional php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9b3ecd5606fa66b221b111b821018e54 16524 web optional php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 00258c838c19400ec990654cee6f7a96 38098 web optional php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 3ed659cf2aa7e178bfe049a5d5958f6a 48452 web optional php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b9f10192699c5c6a2613f595f5c40325 20160 web optional php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 62126774d34edcb24786676203fb08bd 14190 web optional php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
 6ee59ecf0e008a8a230e28f907116d4f 5428 web optional php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
 4aae04e66b706291291e2b03ebcea83f 73714 web optional php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 caecc5e8c8c5c0d4e0ed964365db2f92 37864 web optional php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 99560785fc2489866a1cdc32ba3df138 56882 web optional php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b0ef7faa0cc3f1cb1c3fb41b5ce05c30 9474 web optional php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
 d0ea290a8c385c6aba602d28e4d2cd39 5100 web optional php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
 df28abc45cbd11af84d28ac91b930f97 12350 web optional php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 7a8fe62fdcd1b72a4be02ee2507b292b 39780 web optional php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
 85097f2998fd151d955f572964e5d422 28064 web optional php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 5c8e5ab6ac2f0c482222787bd7eb29c5 18134 web optional php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
 94acf21a9170d6246259be00fb877386 40912 web optional php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 2357126080c8576f77095246abf9f37d 13940 web optional php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 68c3a9e139c81103fce02940c5e1951e 1078 web optional php5_5.2.6.dfsg.1-1+lenny3_all.deb
 b4c42ff4056be09e0cf2102445518736 334564 web optional php-pear_5.2.6.dfsg.1-1+lenny3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJ9NXoynjLPm522B0RAnSCAJoDUAfnj4bE8ctYnMSRFgApGnpREACdE9Md
wpSJGZfM4QOYzTtofm8Gaok=
=gHr0
-----END PGP SIGNATURE-----

Message #45 received at 523049-close@bugs.debian.org (full text, mbox, reply):

From: Sean Finney <seanius@debian.org>

To: 523049-close@bugs.debian.org

Subject: Bug#523049: fixed in php5 5.2.6.dfsg.1-1+lenny3

Date: Sat, 27 Jun 2009 16:04:45 +0000

Source: php5
Source-Version: 5.2.6.dfsg.1-1+lenny3

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
php-pear_5.2.6.dfsg.1-1+lenny3_all.deb
  to pool/main/p/php5/php-pear_5.2.6.dfsg.1-1+lenny3_all.deb
php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
  to pool/main/p/php5/php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
php5_5.2.6.dfsg.1-1+lenny3.diff.gz
  to pool/main/p/php5/php5_5.2.6.dfsg.1-1+lenny3.diff.gz
php5_5.2.6.dfsg.1-1+lenny3.dsc
  to pool/main/p/php5/php5_5.2.6.dfsg.1-1+lenny3.dsc
php5_5.2.6.dfsg.1-1+lenny3_all.deb
  to pool/main/p/php5/php5_5.2.6.dfsg.1-1+lenny3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 523049@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 26 Apr 2009 21:37:57 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi php5-cli php5-dev php5-dbg php-pear php5-curl php5-gd php5-gmp php5-imap php5-interbase php5-ldap php5-mcrypt php5-mhash php5-mysql php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.2.6.dfsg.1-1+lenny3
Distribution: stable-security
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description: 
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2 module)
 libapache2-mod-php5filter - server-side, HTML-embedded scripting language (apache 2 filter mo
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (metapackage)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dbg   - Debug symbols for PHP5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-gmp   - GMP module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 523028 523049
Changes: 
 php5 (5.2.6.dfsg.1-1+lenny3) stable-security; urgency=low
 .
   [ Sean Finney ]
   * CVE-2008-5814: XSS vulnerability via display_errors (Closes: #523028)
   * CVE-2009-0754.patch: mbstring.func_overload leakage between apache2
     vhosts (Closes: #523049)
   * CVE-2009-1271: remote DoS in json_decode()
   * add note about CVE-2009-1272 in previous version's changelog entry
 .
   [ Mark A. Hershberger ]
   * fix clean target to keep source in a consistant state for multiple builds
Checksums-Sha1: 
 46ea5501bfb50c6c559ecb12f4aa472e23e044e3 2520 php5_5.2.6.dfsg.1-1+lenny3.dsc
 eb4062afb5ac20f6a889ab9f40f2f9ada0755ba3 160126 php5_5.2.6.dfsg.1-1+lenny3.diff.gz
 cb7e7ff1058a8ecb9a368aeb3550b0b9eae16563 367858 php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
 baf2af4a6b1fc0ff72f6e822460bc1d14359c763 2615884 libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
 163755875422cc3f6c869785b753546d028351fe 2614610 libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
 5dac41a220b34868872c402e8309a397d880a072 5083216 php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b1f1c9ca5e0ff246fdc9e5568dde3a329524e699 2563068 php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b9da5636a59bedecca03daa578798544c9232187 366086 php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ea977f8ead9a363c429180406575cade01f30a10 8300332 php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
 e1507dc4c138ccad7e215e0a8831abd392d6dd1e 25260 php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ceef6ffaa88874d9016dae3af82d99378c258223 37046 php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
 7bb1d6aa9e447c48b647216c4f9c2660b55e5e65 16524 php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 c3d3b908aacd6826383af37330148448a817e6da 38098 php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 11133d964ec463500530cc0030b9ab640d101ea2 48452 php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 748e24274936895ea3aea1014070ee54ebf253bb 20160 php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9e2408a4771a21a39acd1afa6530ab76d2dedaf1 14190 php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
 dec3f4bfc7d3d52eb74897ce0bea639f37134c05 5428 php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
 910a97cf9d1179245c6c456cf98b2942c5d188fb 73714 php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 de21b305c763d9c11b245c974909d9528c4ea9dd 37864 php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 0eb843aded3166316eaea9748e6964cbd0c20f7a 56882 php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 5f6cb167a9c6c147c185817d641d5fbd4680cd67 9474 php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ccde762e1d234dfe6449141fff2712dbe95e3da1 5100 php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
 0a6c3fabe2a7cf2004937f51d623da192bc11f06 12350 php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9480484c155c2af691e1a428d7e03d18653e155e 39780 php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9138f781285f76cf4a88b4d4ae4dac2a2918d31e 28064 php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 662d14ed5bcd7de068c847ad791f4108103c520f 18134 php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
 5c32cb28776f02cca21cf193089e1298c9589c62 40912 php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 861a3b22ca5a27bc3855bf24e40d3e66e4837c53 13940 php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ee2200be83937df8034f7f56f0c1e8b01e0c8602 1078 php5_5.2.6.dfsg.1-1+lenny3_all.deb
 8d263f35a953b0e70f5e096956c3bbd86de2d64e 334564 php-pear_5.2.6.dfsg.1-1+lenny3_all.deb
Checksums-Sha256: 
 5cac7af83b5e1bf8359166034cda2f3707e4586f8c1603480daff9eaf21e1c9f 2520 php5_5.2.6.dfsg.1-1+lenny3.dsc
 7fc99e2409ce75bac42445dc5c4474e471ae2ac8847e8f60db4f7ba52a718653 160126 php5_5.2.6.dfsg.1-1+lenny3.diff.gz
 028c041b2ffc34aeadeba69d0216651f8f468a04b480cdeb7733cd0ae7d49550 367858 php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ed0952843bd4e683676144b7732b2e28981395c191f5ee2e2ab10813c2e4431f 2615884 libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
 25d2697b061db23496570be2a1bd3f30b0af3bf765ac2ed4b77f8ece1664f28d 2614610 libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
 7248aaedeaf260d6ffd498dce219c6e4f6cf3b274a3ff95191812e001b73aeb2 5083216 php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
 253d6909a0f73b3460eaa04b0e7f5f348c646a903fec68ad28f8af724e0953cf 2563068 php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b187b7a31d2df247ca9ca78185bb446ffa5b8221a511f093e84674c94e4ffd7f 366086 php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
 a5e27c3b7a65a9394f63dcb99f313346f302b43afbf6ab85268dc9305718c494 8300332 php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
 a8ef06a61d481b44f2414c096cfa52a372244b8b9d496e0f48e40479d1fab320 25260 php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 845cac22914b01ad3741ec90dc9a4d3ce28859c7752db4c813723a30c22c4a11 37046 php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
 51f2b058ccda048efa0a6edafe42dcae8f99364a742125586babbb10ac8d42ba 16524 php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 174731bd32db85aebae0142e0cd5facff477eada9d69e8f640b22f554a8267be 38098 php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 cbe15681ca140c2fa48323b8924f687e06eb86bd89b6063c7013f981e8159387 48452 php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 fd7f66d2a781f292459cb24f3c7731c0bcaf75add1544872400fed3a7c446b95 20160 php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 f8f57c8a96f55bc2153d4cb5856b8e5348c08d665afc75c62fb2004dea927960 14190 php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b80b5e50ba15bc5054ecb70adbc28ef9e8f9e375599f68c33350730573db35fd 5428 php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
 cd8fd64dbc7cba130105fbbeb1eef15ac2d06c8b611b86f29efe6314f352c375 73714 php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 866d761b899abaaa8a7d41042681fa57591bb53ee78a1a68ea1ae990a918cf33 37864 php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b0b6eec449fcebac997d69b130b1b8d56da90b3697b9395fb000f77b3c609cb7 56882 php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9879df5f734da02e7dc4177ded6c058727df623315013389eff43b8012ff26dc 9474 php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
 cce1c4975bf845f572589f0aaa84d6b9a695e10f20a0287920a9817fd4d30235 5100 php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
 10c8914af92ee38d2bec164b20b94fe2e496cac53a663e65ef95d147af65c1ad 12350 php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 599f5fb5a1c7ffa8fa5bd752e5fc3efb1af98e73ee86fc6614563f5e97106541 39780 php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
 49c0571fe864363f3cbb62e0a15829adc034d3752acaa69d6aedf9d9e135a088 28064 php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 7a4604edeba69c283e8d8bbabe31b36532ee14f053db73ce8ae18005aa62b87b 18134 php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
 3ce8ebc1bf95e579fb25985ad9bd43470ec30a7835c8cd904927ead45250fd2e 40912 php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 94b5f976e27f6eabd4ef50e3ff4c83ca017af0c88219696f25321493e7ea462a 13940 php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 02ba35f8fec62cb312ab6cd92db106ec96783a5471855aac8c3c612f2bcb63ba 1078 php5_5.2.6.dfsg.1-1+lenny3_all.deb
 bd0dc35bfdcea7f252fea854771824b6b84acd0601807f632046cb99519beb53 334564 php-pear_5.2.6.dfsg.1-1+lenny3_all.deb
Files: 
 e865d9ad2851dcf9f83d71c148423c84 2520 web optional php5_5.2.6.dfsg.1-1+lenny3.dsc
 9a0f8b8a480b0d95ddecd7f82593e108 160126 web optional php5_5.2.6.dfsg.1-1+lenny3.diff.gz
 5b8e49b3b892569219baf60a896dde95 367858 web optional php5-common_5.2.6.dfsg.1-1+lenny3_amd64.deb
 834747cef1119734261264d24094c5a2 2615884 web optional libapache2-mod-php5_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b309b2993a0aba0f495c57aaa909a274 2614610 web optional libapache2-mod-php5filter_5.2.6.dfsg.1-1+lenny3_amd64.deb
 428f888c54d8a5ebf783b6345d629a3f 5083216 web optional php5-cgi_5.2.6.dfsg.1-1+lenny3_amd64.deb
 80d0fc43130775d658af3f87ecea644f 2563068 web optional php5-cli_5.2.6.dfsg.1-1+lenny3_amd64.deb
 bdb6555ef6bfba1d4d3a4466d5727325 366086 devel optional php5-dev_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b282cbf7b62b897417eac1d3be14ef87 8300332 devel extra php5-dbg_5.2.6.dfsg.1-1+lenny3_amd64.deb
 ff405813e6b71d4b90611eec50e96a8f 25260 web optional php5-curl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 baf59ec2824c389395a04a29d6dc8909 37046 web optional php5-gd_5.2.6.dfsg.1-1+lenny3_amd64.deb
 9b3ecd5606fa66b221b111b821018e54 16524 web optional php5-gmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 00258c838c19400ec990654cee6f7a96 38098 web optional php5-imap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 3ed659cf2aa7e178bfe049a5d5958f6a 48452 web optional php5-interbase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b9f10192699c5c6a2613f595f5c40325 20160 web optional php5-ldap_5.2.6.dfsg.1-1+lenny3_amd64.deb
 62126774d34edcb24786676203fb08bd 14190 web optional php5-mcrypt_5.2.6.dfsg.1-1+lenny3_amd64.deb
 6ee59ecf0e008a8a230e28f907116d4f 5428 web optional php5-mhash_5.2.6.dfsg.1-1+lenny3_amd64.deb
 4aae04e66b706291291e2b03ebcea83f 73714 web optional php5-mysql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 caecc5e8c8c5c0d4e0ed964365db2f92 37864 web optional php5-odbc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 99560785fc2489866a1cdc32ba3df138 56882 web optional php5-pgsql_5.2.6.dfsg.1-1+lenny3_amd64.deb
 b0ef7faa0cc3f1cb1c3fb41b5ce05c30 9474 web optional php5-pspell_5.2.6.dfsg.1-1+lenny3_amd64.deb
 d0ea290a8c385c6aba602d28e4d2cd39 5100 web optional php5-recode_5.2.6.dfsg.1-1+lenny3_amd64.deb
 df28abc45cbd11af84d28ac91b930f97 12350 web optional php5-snmp_5.2.6.dfsg.1-1+lenny3_amd64.deb
 7a8fe62fdcd1b72a4be02ee2507b292b 39780 web optional php5-sqlite_5.2.6.dfsg.1-1+lenny3_amd64.deb
 85097f2998fd151d955f572964e5d422 28064 web optional php5-sybase_5.2.6.dfsg.1-1+lenny3_amd64.deb
 5c8e5ab6ac2f0c482222787bd7eb29c5 18134 web optional php5-tidy_5.2.6.dfsg.1-1+lenny3_amd64.deb
 94acf21a9170d6246259be00fb877386 40912 web optional php5-xmlrpc_5.2.6.dfsg.1-1+lenny3_amd64.deb
 2357126080c8576f77095246abf9f37d 13940 web optional php5-xsl_5.2.6.dfsg.1-1+lenny3_amd64.deb
 68c3a9e139c81103fce02940c5e1951e 1078 web optional php5_5.2.6.dfsg.1-1+lenny3_all.deb
 b4c42ff4056be09e0cf2102445518736 334564 web optional php-pear_5.2.6.dfsg.1-1+lenny3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJ9NXoynjLPm522B0RAnSCAJoDUAfnj4bE8ctYnMSRFgApGnpREACdE9Md
wpSJGZfM4QOYzTtofm8Gaok=
=gHr0
-----END PGP SIGNATURE-----

Message #50 received at 523049-close@bugs.debian.org (full text, mbox, reply):

From: Sean Finney <seanius@debian.org>

To: 523049-close@bugs.debian.org

Subject: Bug#523049: fixed in php5 5.2.0+dfsg-8+etch45

Date: Fri, 03 Jul 2009 19:54:20 +0000

Source: php5
Source-Version: 5.2.0+dfsg-8+etch45

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache-mod-php5_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/libapache-mod-php5_5.2.0+dfsg-8+etch45_amd64.deb
libapache2-mod-php5_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/libapache2-mod-php5_5.2.0+dfsg-8+etch45_amd64.deb
php-pear_5.2.0+dfsg-8+etch45_all.deb
  to pool/main/p/php5/php-pear_5.2.0+dfsg-8+etch45_all.deb
php5-cgi_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-cgi_5.2.0+dfsg-8+etch45_amd64.deb
php5-cli_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-cli_5.2.0+dfsg-8+etch45_amd64.deb
php5-common_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-common_5.2.0+dfsg-8+etch45_amd64.deb
php5-curl_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-curl_5.2.0+dfsg-8+etch45_amd64.deb
php5-dev_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-dev_5.2.0+dfsg-8+etch45_amd64.deb
php5-gd_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-gd_5.2.0+dfsg-8+etch45_amd64.deb
php5-imap_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-imap_5.2.0+dfsg-8+etch45_amd64.deb
php5-interbase_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-interbase_5.2.0+dfsg-8+etch45_amd64.deb
php5-ldap_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-ldap_5.2.0+dfsg-8+etch45_amd64.deb
php5-mcrypt_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-mcrypt_5.2.0+dfsg-8+etch45_amd64.deb
php5-mhash_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-mhash_5.2.0+dfsg-8+etch45_amd64.deb
php5-mysql_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-mysql_5.2.0+dfsg-8+etch45_amd64.deb
php5-odbc_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-odbc_5.2.0+dfsg-8+etch45_amd64.deb
php5-pgsql_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-pgsql_5.2.0+dfsg-8+etch45_amd64.deb
php5-pspell_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-pspell_5.2.0+dfsg-8+etch45_amd64.deb
php5-recode_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-recode_5.2.0+dfsg-8+etch45_amd64.deb
php5-snmp_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-snmp_5.2.0+dfsg-8+etch45_amd64.deb
php5-sqlite_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-sqlite_5.2.0+dfsg-8+etch45_amd64.deb
php5-sybase_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-sybase_5.2.0+dfsg-8+etch45_amd64.deb
php5-tidy_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-tidy_5.2.0+dfsg-8+etch45_amd64.deb
php5-xmlrpc_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-xmlrpc_5.2.0+dfsg-8+etch45_amd64.deb
php5-xsl_5.2.0+dfsg-8+etch45_amd64.deb
  to pool/main/p/php5/php5-xsl_5.2.0+dfsg-8+etch45_amd64.deb
php5_5.2.0+dfsg-8+etch45.diff.gz
  to pool/main/p/php5/php5_5.2.0+dfsg-8+etch45.diff.gz
php5_5.2.0+dfsg-8+etch45.dsc
  to pool/main/p/php5/php5_5.2.0+dfsg-8+etch45.dsc
php5_5.2.0+dfsg-8+etch45_all.deb
  to pool/main/p/php5/php5_5.2.0+dfsg-8+etch45_all.deb
php5_5.2.0+dfsg.orig.tar.gz
  to pool/main/p/php5/php5_5.2.0+dfsg.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 523049@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Finney <seanius@debian.org> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 29 Apr 2009 17:55:41 +0200
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc php5-pspell libapache2-mod-php5 php5-xsl php5-cgi php-pear php5-tidy php5-pgsql php5-cli php5-recode php5-mhash php5-sybase php5-curl php5-odbc php5-mcrypt php5-mysql php5-common php5-imap php5-snmp php5-dev php5-sqlite libapache-mod-php5 php5-interbase
Architecture: source amd64 all
Version: 5.2.0+dfsg-8+etch45
Distribution: oldstable-security
Urgency: high
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Sean Finney <seanius@debian.org>
Description: 
 libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2 module)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (meta-package)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-imap  - IMAP module for php5
 php5-interbase - interbase/firebird module for php5
 php5-ldap  - LDAP module for php5
 php5-mcrypt - MCrypt module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-pspell - pspell module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-tidy  - tidy module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 341420 471104 507101 507857 508021 511493 523028 523049
Changes: 
 php5 (5.2.0+dfsg-8+etch45) oldstable-security; urgency=high
 .
   * The previous security upload was missing one fix.
   * The following security issues are addressed with this update:
     - CVE-2009-1271: remote DoS in json_decode()
       Patch: 149-CVE-2009-1271.patch
 .
 php5 (5.2.0+dfsg-8+etch44) oldstable-security; urgency=high
 .
   * The following security issues are addressed with this update:
     - CVE-2008-5624: proper initialization of uid/gid for apache2 sapi.
       Patch: 142-CVE-2008-5624.patch (closes: #508021).
     - CVE-2008-5557: heap overflows in the mbstring extension.
       Patch: 144-CVE-2008-5557.patch (closes: #511493).
     - CVE-2008-5658: directory traversal in the zip extension
       Patch: 148-CVE-2008-5658.patch (closes: #507857).
     - CVE-2008-2107/CVE-2008-2108: crypto weaknesses in php_rand module
       Patch: 212-CVE-2008-2107+2108.patch (borrowed from dapper).
     - CVE-2009-0754.patch: mbstring.func_overload leakage between vhosts
       Patch: 147-CVE-2009-0754.patch (closes: #523049).
     - CVE-2008-5814: XSS vulnerability via display_errors
       Patch: 146-CVE-2008-5814.patch (closes: #523028).
     - (no CVE): file truncation via inifile handler for the dba functions.
       Patch: 145-dba-inifile-truncation.patch (closes: #507101).
   * Backport the patch from lenny/sid to use the system timezone database
     instead of the embedded php timezone database which is out of date.
     Patch: 143-use_embedded_timezonedb.patch (closes: #471104).
   * Repack the etch version of php5, stripping out the (unused) dbase
     module which contained licensing problems (closes: #341420).
Files: 
 68d631a7860f0fc34516cc8bbf2938a5 1993 web optional php5_5.2.0+dfsg-8+etch45.dsc
 956486a588c577616a5008d185e84968 8431973 web optional php5_5.2.0+dfsg.orig.tar.gz
 27d7683a1388c69479b06ac1162e27a2 130902 web optional php5_5.2.0+dfsg-8+etch45.diff.gz
 294541ab5286e92e2895931547a4015e 218482 web optional php5-common_5.2.0+dfsg-8+etch45_amd64.deb
 aad636fd27d8f7d7575d5ff3b89dce3f 2433932 web optional libapache-mod-php5_5.2.0+dfsg-8+etch45_amd64.deb
 913d144ced4d3cbcbfd55361f60fe791 2434624 web optional libapache2-mod-php5_5.2.0+dfsg-8+etch45_amd64.deb
 7d29d3f231affd34e79719346d075327 4718800 web optional php5-cgi_5.2.0+dfsg-8+etch45_amd64.deb
 0b47996fb2a5944fd22ab8b65cf4c722 2379548 web optional php5-cli_5.2.0+dfsg-8+etch45_amd64.deb
 51b9e65a337166cdb1125549580abf89 345976 devel optional php5-dev_5.2.0+dfsg-8+etch45_amd64.deb
 5fbbeb2537f4876d7a516464d510173a 24994 web optional php5-curl_5.2.0+dfsg-8+etch45_amd64.deb
 99d582300b639a7db1b781ce76a28738 37124 web optional php5-gd_5.2.0+dfsg-8+etch45_amd64.deb
 5c0f91b30760d8512384c0f68dc2bf21 36726 web optional php5-imap_5.2.0+dfsg-8+etch45_amd64.deb
 ce7e64f8aa10fbc1f40149fcbd40f6e0 46630 web optional php5-interbase_5.2.0+dfsg-8+etch45_amd64.deb
 c24afd04176a516986910ab36e612f3c 18670 web optional php5-ldap_5.2.0+dfsg-8+etch45_amd64.deb
 4a7e7dd3e7e2b86097b9494bfa4dcec9 13494 web optional php5-mcrypt_5.2.0+dfsg-8+etch45_amd64.deb
 39eff740288549e5d8ea1cdce0c5f85b 5266 web optional php5-mhash_5.2.0+dfsg-8+etch45_amd64.deb
 c547292c0a0d6da49953e1001db139d8 71674 web optional php5-mysql_5.2.0+dfsg-8+etch45_amd64.deb
 3ace3d84f12b5a8e83248e738fcb706e 36416 web optional php5-odbc_5.2.0+dfsg-8+etch45_amd64.deb
 94aae1cea47eb7b61be1800e011a93b9 53952 web optional php5-pgsql_5.2.0+dfsg-8+etch45_amd64.deb
 1fdbf3acbf72ef317428fe4f60485882 9404 web optional php5-pspell_5.2.0+dfsg-8+etch45_amd64.deb
 4bb26c59f0c29152d7d62dd048b25bb2 4904 web optional php5-recode_5.2.0+dfsg-8+etch45_amd64.deb
 c4e5fd6ba704945b175c410a4b728672 12062 web optional php5-snmp_5.2.0+dfsg-8+etch45_amd64.deb
 90097351de2bac5c6e11a4f7fb5ec73d 38588 web optional php5-sqlite_5.2.0+dfsg-8+etch45_amd64.deb
 f80699a3c7592b7c38f50af56eeeb957 19438 web optional php5-sybase_5.2.0+dfsg-8+etch45_amd64.deb
 1d72cf93b65af6c999e443e656531123 17570 web optional php5-tidy_5.2.0+dfsg-8+etch45_amd64.deb
 9f9aea8b4be57aad3d2eda043e190c03 39166 web optional php5-xmlrpc_5.2.0+dfsg-8+etch45_amd64.deb
 7776dbf0c8a27a45fb358f2bb6c2f7f9 13030 web optional php5-xsl_5.2.0+dfsg-8+etch45_amd64.deb
 a6e0b8f0547c74c498749d28dac8b92f 1044 web optional php5_5.2.0+dfsg-8+etch45_all.deb
 c5fb5dc9ccfe7dfaabce6c5f6f289549 312534 web optional php-pear_5.2.0+dfsg-8+etch45_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJ+I4lynjLPm522B0RAmdjAJ43s1rbffo294Cq8GQSOvhm+0xEgwCfWOEB
WbxZlGNNyPHQcS9HKjoNg+E=
=ErOT
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.