Your message dated Wed, 24 Sep 2008 21:32:13 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#499988: fixed in php5 5.2.6-4
has caused the Debian Bug report #499988,
regarding CVE-2008-3659: Buffer overflow in the memnstr function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
499988: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499988
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: php5
Version: 5.2.6-3
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
via http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659:
Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP
5.6 through 5.2.6 allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via the delimiter
argument to the explode function. NOTE: the scope of this issue is limited
since most applications would not use an attacker-controlled delimiter,
but local attacks against safe_mode are feasible.
while the attack vector may be somewhat limited, apparently this vector
is actually used in practice by a number of apps, so we should include
the patch (well we in fact have already incorporated it into the svn
repo, but it has not yet been released):
http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
sean
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.2.6-3 server-side, HTML-embedded scripti
ii php5-cgi 5.2.6-3 server-side, HTML-embedded scripti
ii php5-common 5.2.6-3 Common files for packages built fr
php5 recommends no packages.
php5 suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI2eAtynjLPm522B0RAon9AJ9BaYTEx909jJMUGrl8RS1YxjxUkgCfbdfH
RHer27eJlWdu5BMJCLTzEUw=
=facc
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: php5
Source-Version: 5.2.6-4
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:
libapache2-mod-php5_5.2.6-4_amd64.deb
to pool/main/p/php5/libapache2-mod-php5_5.2.6-4_amd64.deb
libapache2-mod-php5filter_5.2.6-4_amd64.deb
to pool/main/p/php5/libapache2-mod-php5filter_5.2.6-4_amd64.deb
php-pear_5.2.6-4_all.deb
to pool/main/p/php5/php-pear_5.2.6-4_all.deb
php5-cgi_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-cgi_5.2.6-4_amd64.deb
php5-cli_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-cli_5.2.6-4_amd64.deb
php5-common_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-common_5.2.6-4_amd64.deb
php5-curl_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-curl_5.2.6-4_amd64.deb
php5-dbg_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-dbg_5.2.6-4_amd64.deb
php5-dev_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-dev_5.2.6-4_amd64.deb
php5-gd_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-gd_5.2.6-4_amd64.deb
php5-gmp_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-gmp_5.2.6-4_amd64.deb
php5-imap_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-imap_5.2.6-4_amd64.deb
php5-interbase_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-interbase_5.2.6-4_amd64.deb
php5-ldap_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-ldap_5.2.6-4_amd64.deb
php5-mcrypt_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-mcrypt_5.2.6-4_amd64.deb
php5-mhash_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-mhash_5.2.6-4_amd64.deb
php5-mysql_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-mysql_5.2.6-4_amd64.deb
php5-odbc_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-odbc_5.2.6-4_amd64.deb
php5-pgsql_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-pgsql_5.2.6-4_amd64.deb
php5-pspell_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-pspell_5.2.6-4_amd64.deb
php5-recode_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-recode_5.2.6-4_amd64.deb
php5-snmp_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-snmp_5.2.6-4_amd64.deb
php5-sqlite_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-sqlite_5.2.6-4_amd64.deb
php5-sybase_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-sybase_5.2.6-4_amd64.deb
php5-tidy_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-tidy_5.2.6-4_amd64.deb
php5-xmlrpc_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-xmlrpc_5.2.6-4_amd64.deb
php5-xsl_5.2.6-4_amd64.deb
to pool/main/p/php5/php5-xsl_5.2.6-4_amd64.deb
php5_5.2.6-4.diff.gz
to pool/main/p/php5/php5_5.2.6-4.diff.gz
php5_5.2.6-4.dsc
to pool/main/p/php5/php5_5.2.6-4.dsc
php5_5.2.6-4_all.deb
to pool/main/p/php5/php5_5.2.6-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sean Finney <[EMAIL PROTECTED]> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 14 Sep 2008 14:25:11 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi
php5-cli php5-dev php5-dbg php-pear php5-curl php5-gd php5-gmp php5-imap
php5-interbase php5-ldap php5-mcrypt php5-mhash php5-mysql php5-odbc php5-pgsql
php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase php5-tidy php5-xmlrpc
php5-xsl
Architecture: source amd64 all
Version: 5.2.6-4
Distribution: unstable
Urgency: high
Maintainer: Debian PHP Maintainers <[EMAIL PROTECTED]>
Changed-By: Sean Finney <[EMAIL PROTECTED]>
Description:
libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2
module)
libapache2-mod-php5filter - server-side, HTML-embedded scripting language
(apache 2 filter mo
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (metapackage)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dbg - Debug symbols for PHP5
php5-dev - Files for PHP5 module development
php5-gd - GD module for php5
php5-gmp - GMP module for php5
php5-imap - IMAP module for php5
php5-interbase - interbase/firebird module for php5
php5-ldap - LDAP module for php5
php5-mcrypt - MCrypt module for php5
php5-mhash - MHASH module for php5
php5-mysql - MySQL module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-pspell - pspell module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-tidy - tidy module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 423296 499987 499988 499989
Changes:
php5 (5.2.6-4) unstable; urgency=high
.
[ Sean Finney ]
* Take three unreleased fixes from upstream CVS:
- CVE-2008-3658: Buffer overflow in the imageloadfont function.
Patch: CVE-2008-3658.patch (closes: #499989)
- CVE-2008-3659: Buffer overflow in the memnstr function.
Patch: CVE-2008-3659.patch (closes: #499988)
- CVE-2008-3660: Remote DoS in fastcgi module
Patch: CVE-2008-3660.patch (closes: #499987)
.
[ Raphael Geissert ]
* snmp_leaks.patch: fixes memory leaks in the snmp extension (Closes:
#423296)
- Thanks to Rodrigo Campos <[EMAIL PROTECTED]> for the follow up
- Thanks to Federico Cuello for the original patch
* php5-dev.lintian-override: fix it so it actually works
Checksums-Sha1:
9d1258d07d4a4059c7dd5adc60a8f1a45cf67d70 2407 php5_5.2.6-4.dsc
4c320eb86181a62933e8b8adcdd8189b9ba6a285 138897 php5_5.2.6-4.diff.gz
3463a37205e19c1ce8d898b6011316b91db5590f 366452 php5-common_5.2.6-4_amd64.deb
ea3cc3faf4c9fd1c76cef43cf6e5d31008d12b75 2614766
libapache2-mod-php5_5.2.6-4_amd64.deb
d15587bb0ccd5e8cd65406d7ed2d27bf9b0c5b42 2613258
libapache2-mod-php5filter_5.2.6-4_amd64.deb
e45c6ac0690bfc49aef4649580c699412f48bce2 5081824 php5-cgi_5.2.6-4_amd64.deb
5eb2e942eb26f441e2038a5478f7cbccc680ac03 2561568 php5-cli_5.2.6-4_amd64.deb
8e4142f61de0a57e62dc1249c6b215f3c5b79649 365716 php5-dev_5.2.6-4_amd64.deb
3a7c16bb3caa1246ace3ca7f959b531b2020ac75 8295372 php5-dbg_5.2.6-4_amd64.deb
94f7a8d48e2eacab0e1b44b7ce5fc6640732d892 25240 php5-curl_5.2.6-4_amd64.deb
67d1a2ce37ca7e638a280e7f5503d35e303410f6 37040 php5-gd_5.2.6-4_amd64.deb
bb38cc582a3223a5527492563da108766f720227 16518 php5-gmp_5.2.6-4_amd64.deb
7b257674c1132e7811fc50d8fa647d3d088af504 38086 php5-imap_5.2.6-4_amd64.deb
cb8d1e4d8cca4d72bef813b13edcd571c8af905b 48408 php5-interbase_5.2.6-4_amd64.deb
9d0871b99a21106cc3ffc2e4a573b8094ffb6532 20154 php5-ldap_5.2.6-4_amd64.deb
3821915ad96f724299f70bc17d903c3eb4b80197 14178 php5-mcrypt_5.2.6-4_amd64.deb
d391f7bc5d238156d8bb94fb9402bc9d9f764498 5422 php5-mhash_5.2.6-4_amd64.deb
7dff7739b583d506d62cdc95ee065ebf3924df4b 73694 php5-mysql_5.2.6-4_amd64.deb
5fc1d9bfc9bcf251f700a1017f02bd65ed73d903 37842 php5-odbc_5.2.6-4_amd64.deb
d8809a533defd2940b6a09d13969fdc73cf1c6b1 56874 php5-pgsql_5.2.6-4_amd64.deb
e2e509dab929a155a2478daa40f956a9294426e0 9464 php5-pspell_5.2.6-4_amd64.deb
8a3ee736cdd35cbbcf787561265934ff49826628 5088 php5-recode_5.2.6-4_amd64.deb
57409bd4a620d7156c9fd0bc9fab502e8e6f8636 12340 php5-snmp_5.2.6-4_amd64.deb
fb23acc1aaefd5399b8dc963b2571c0ed29500cd 39764 php5-sqlite_5.2.6-4_amd64.deb
229d7f9cb4dd6791e4d8feb6a5ff5702dc4b69f3 28054 php5-sybase_5.2.6-4_amd64.deb
0421b4c2a4060e41270d7b917cfe1c4d6deb9966 18122 php5-tidy_5.2.6-4_amd64.deb
72593f40bcd3549a6277d77165ab0245476e2657 40864 php5-xmlrpc_5.2.6-4_amd64.deb
aebf7c652687ac5fcc04aede94c7e0345b9968a4 13928 php5-xsl_5.2.6-4_amd64.deb
fb487d6d5562228bda857f1425ef37abdf05ff82 1070 php5_5.2.6-4_all.deb
3f012e1c8be533f8e17adda31c442382da4b299e 334512 php-pear_5.2.6-4_all.deb
Checksums-Sha256:
a99cdb886fa5e5ed756b33fd05dce2c6cfdb46815ecb11279285f780a678aa37 2407
php5_5.2.6-4.dsc
5264823caf022585119d3dbe695607d1a9ee1a886a2854bfbb187fe4d4572acc 138897
php5_5.2.6-4.diff.gz
a57ad6d0fa610562e8d3cc1e792549b912401c18362735126b5d8eb8716d8c90 366452
php5-common_5.2.6-4_amd64.deb
4a1986925546cb81bb3bde0d4ec6dc016699f791c11e045ba3a7af2200d480a0 2614766
libapache2-mod-php5_5.2.6-4_amd64.deb
45df14dcf62aca6e0e4a9ef9bae1a5cf08b2019af7960e23e9fd5ed42421b835 2613258
libapache2-mod-php5filter_5.2.6-4_amd64.deb
31f1ff347ca161ba8c5336549d0f0fc3984d62bd50ce65e18f05c914d1c75158 5081824
php5-cgi_5.2.6-4_amd64.deb
a33d9c3cad46ccaa1369c630dd0828496e7a23362562e2684b0a6fc7dc427c9a 2561568
php5-cli_5.2.6-4_amd64.deb
4bcf40b1ae3a867b4f277c65d79c9d33a4a009c4242777b119fcacbc443797e5 365716
php5-dev_5.2.6-4_amd64.deb
d519d6438b29c2954b800e81fddea1476b2ffb58b34ae193683143b2f5b98c3e 8295372
php5-dbg_5.2.6-4_amd64.deb
2531c12a43b7f28177b29e3a7c6730eef3c1b0be3edeae44066f0733c528c900 25240
php5-curl_5.2.6-4_amd64.deb
61c88f95db56923ed873d1ebad43d8552ff4ce7709eb7e7848e5dc70c3d3f760 37040
php5-gd_5.2.6-4_amd64.deb
09c6d638a1b85ae94cc0f029461f066abbe3d630734425a3bc788fe40e9385d7 16518
php5-gmp_5.2.6-4_amd64.deb
70bec5e5bd537589813d719644ace9d6e60fc73727731aac578045bf1a19bc66 38086
php5-imap_5.2.6-4_amd64.deb
802651c34de9bc7a78f260c5e8a51f93baa43d9f25547c22df3b509508c2fd15 48408
php5-interbase_5.2.6-4_amd64.deb
5e6e009c332a3bc5b8f9b10ded5b09237071a289022d90e3f3c49605dfee3a4c 20154
php5-ldap_5.2.6-4_amd64.deb
9d52f00c94e2f33b2bd20b0541174424f0457c9cfeee5adb4a69c7e150200b8b 14178
php5-mcrypt_5.2.6-4_amd64.deb
2d92681c5d2c9d1bf9cf289d58857c7ae9d1998cefc4b4d6820072aa223d506c 5422
php5-mhash_5.2.6-4_amd64.deb
660c80fa1e3480eaf60827a8358d80e024fe70e5b077e4d5f3b9d8cb3d2c6eee 73694
php5-mysql_5.2.6-4_amd64.deb
b6bb067192aeeebfbd8edb0924fadec449ca307293bf9f63c91d798bac5464af 37842
php5-odbc_5.2.6-4_amd64.deb
3d38a82bea5a8f61195a53bf738e74030894f9c42bcee3e4d947215d78d3bf19 56874
php5-pgsql_5.2.6-4_amd64.deb
0031003d9d822cf645d86b66a3caf791498c38f6985c859e84abaf339feb1ef9 9464
php5-pspell_5.2.6-4_amd64.deb
b8c2296afde7e96bb893163af0ad5001e32f650ef1cc02b255dd7bc203ce7f6d 5088
php5-recode_5.2.6-4_amd64.deb
3476ed2bdbaa4e44de73f74e6f06ffa11cd5b4c8ee19a74d4e41255cfeb95fd7 12340
php5-snmp_5.2.6-4_amd64.deb
89eec51ccdc8e3e3a5383828e383ad4617942ca1186134eb3fdaf17e4e282dfd 39764
php5-sqlite_5.2.6-4_amd64.deb
f8a2be101bfcbc237b652f9d1b2a1b392c44de4bd30aadb52b9f8ddae34de137 28054
php5-sybase_5.2.6-4_amd64.deb
84213943d3ad9d87ebce68a02eb49547331813a96c1960726b075340cbca903a 18122
php5-tidy_5.2.6-4_amd64.deb
065467777debb08675ab8e22b05052f275b31671936a314b85ebf3e0cccceee1 40864
php5-xmlrpc_5.2.6-4_amd64.deb
eb10254d482e9fa26695371dd8749049c9da78c59b9748e3aff25730ee60ccad 13928
php5-xsl_5.2.6-4_amd64.deb
bee6eb6d695779371a49ee16dd085a31668ac0b1cb56c5d837642e44481babb2 1070
php5_5.2.6-4_all.deb
cee022a2d2b6cbc8a7ea84be896987e748cba8f4c24e8cb9ec362169a840a534 334512
php-pear_5.2.6-4_all.deb
Files:
c2d92a31a5d9352c0db38d502106be1b 2407 web optional php5_5.2.6-4.dsc
f2b9f69cec94fc0290f45afc6e1ebca0 138897 web optional php5_5.2.6-4.diff.gz
320de473b4b5c2c796718cb82007563d 366452 web optional
php5-common_5.2.6-4_amd64.deb
e53fa5e931f6dfe9cd112a9a261dbeaf 2614766 web optional
libapache2-mod-php5_5.2.6-4_amd64.deb
5a851ad3a140c5188fd8b34ebe560156 2613258 web optional
libapache2-mod-php5filter_5.2.6-4_amd64.deb
c1cc97d36a97e17b88c093173e2bc40e 5081824 web optional
php5-cgi_5.2.6-4_amd64.deb
5b3978757467290b3d199341580ac83b 2561568 web optional
php5-cli_5.2.6-4_amd64.deb
70d3dc92b3661bf734d1d020887f14fd 365716 devel optional
php5-dev_5.2.6-4_amd64.deb
4fa247030e2589cf2d871c0848746898 8295372 devel extra php5-dbg_5.2.6-4_amd64.deb
43711c9cf04880b51ca6497814a012f5 25240 web optional php5-curl_5.2.6-4_amd64.deb
8c37cab8a477578eabc8925431288fda 37040 web optional php5-gd_5.2.6-4_amd64.deb
8d039bf741e22b38db1ae117f8b47eb3 16518 web optional php5-gmp_5.2.6-4_amd64.deb
465a1116cf1d40a33a58e4fee333f305 38086 web optional php5-imap_5.2.6-4_amd64.deb
cbcbbf4bf86b73d4a8ac26bdd440f90b 48408 web optional
php5-interbase_5.2.6-4_amd64.deb
e676fa527cc047dd15911806fa973aeb 20154 web optional php5-ldap_5.2.6-4_amd64.deb
98f5ef5d93beb8dbe98d05a521098749 14178 web optional
php5-mcrypt_5.2.6-4_amd64.deb
0dcbc9258fa9084e8b207932d2830c70 5422 web optional php5-mhash_5.2.6-4_amd64.deb
5a5f56946e4832d6f6355f7c38e494a9 73694 web optional
php5-mysql_5.2.6-4_amd64.deb
655cfee70910e8498e7a8140b9ac6dc2 37842 web optional php5-odbc_5.2.6-4_amd64.deb
ebd0b81e2ae8c763cc222e3be2e0e64f 56874 web optional
php5-pgsql_5.2.6-4_amd64.deb
304946307280f3f264b124a93686de7b 9464 web optional
php5-pspell_5.2.6-4_amd64.deb
a3582659ec170080051216e281ee6464 5088 web optional
php5-recode_5.2.6-4_amd64.deb
d42407fae8e4f249923997881ff1fdf6 12340 web optional php5-snmp_5.2.6-4_amd64.deb
a4ca3211ac0f752e0afe478429189e2c 39764 web optional
php5-sqlite_5.2.6-4_amd64.deb
59e0e5bab1134a28d1b72e2dafa4ea0e 28054 web optional
php5-sybase_5.2.6-4_amd64.deb
e3fb43d1246267a0547d5025cb6423ba 18122 web optional php5-tidy_5.2.6-4_amd64.deb
42fc44e50d925f33288b0a9e3da47690 40864 web optional
php5-xmlrpc_5.2.6-4_amd64.deb
aedd6e13f7cea2057b23f055bdf48e2e 13928 web optional php5-xsl_5.2.6-4_amd64.deb
313de545e8dc01a10ac1641bfda04715 1070 web optional php5_5.2.6-4_all.deb
69affe6ba56cfe5e1dc5e46dc0731a86 334512 web optional php-pear_5.2.6-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI2rCqynjLPm522B0RAjVYAJ9z/qwo590XUYlFuwaTsGEWwyG7TACeOFBt
BIw4wdOh3zXhvCJOval60EI=
=8UQo
-----END PGP SIGNATURE-----
--- End Message ---
