Your message dated Thu, 23 Oct 2008 15:28:10 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#499987: fixed in php5 5.2.0-8+etch13
has caused the Debian Bug report #499987,
regarding CVE-2008-3660: fastcgi module vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
499987: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499987
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: php5
Version: 5.2.6-3
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
via http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used as a FastCGI
module, allows remote attackers to cause a denial of service (crash)
via a request with multiple dots preceding the extension, as demonstrated
using foo..php.
patch:
http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.2.6-3 server-side, HTML-embedded scripti
ii php5-cgi 5.2.6-3 server-side, HTML-embedded scripti
ii php5-common 5.2.6-3 Common files for packages built fr
php5 recommends no packages.
php5 suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI2d9CynjLPm522B0RAltTAJ92rgbk6C29VbCEYZGvrNvoOvVB9gCghdDw
xM8Ei8VXD0LEZXugHYeXmXo=
=RGSS
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: php5
Source-Version: 5.2.0-8+etch13
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:
libapache-mod-php5_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/libapache-mod-php5_5.2.0-8+etch13_amd64.deb
libapache2-mod-php5_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/libapache2-mod-php5_5.2.0-8+etch13_amd64.deb
php-pear_5.2.0-8+etch13_all.deb
to pool/main/p/php5/php-pear_5.2.0-8+etch13_all.deb
php5-cgi_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-cgi_5.2.0-8+etch13_amd64.deb
php5-cli_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-cli_5.2.0-8+etch13_amd64.deb
php5-common_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-common_5.2.0-8+etch13_amd64.deb
php5-curl_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-curl_5.2.0-8+etch13_amd64.deb
php5-dev_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-dev_5.2.0-8+etch13_amd64.deb
php5-gd_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-gd_5.2.0-8+etch13_amd64.deb
php5-imap_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-imap_5.2.0-8+etch13_amd64.deb
php5-interbase_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-interbase_5.2.0-8+etch13_amd64.deb
php5-ldap_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-ldap_5.2.0-8+etch13_amd64.deb
php5-mcrypt_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-mcrypt_5.2.0-8+etch13_amd64.deb
php5-mhash_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-mhash_5.2.0-8+etch13_amd64.deb
php5-mysql_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-mysql_5.2.0-8+etch13_amd64.deb
php5-odbc_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-odbc_5.2.0-8+etch13_amd64.deb
php5-pgsql_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-pgsql_5.2.0-8+etch13_amd64.deb
php5-pspell_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-pspell_5.2.0-8+etch13_amd64.deb
php5-recode_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-recode_5.2.0-8+etch13_amd64.deb
php5-snmp_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-snmp_5.2.0-8+etch13_amd64.deb
php5-sqlite_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-sqlite_5.2.0-8+etch13_amd64.deb
php5-sybase_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-sybase_5.2.0-8+etch13_amd64.deb
php5-tidy_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-tidy_5.2.0-8+etch13_amd64.deb
php5-xmlrpc_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-xmlrpc_5.2.0-8+etch13_amd64.deb
php5-xsl_5.2.0-8+etch13_amd64.deb
to pool/main/p/php5/php5-xsl_5.2.0-8+etch13_amd64.deb
php5_5.2.0-8+etch13.diff.gz
to pool/main/p/php5/php5_5.2.0-8+etch13.diff.gz
php5_5.2.0-8+etch13.dsc
to pool/main/p/php5/php5_5.2.0-8+etch13.dsc
php5_5.2.0-8+etch13_all.deb
to pool/main/p/php5/php5_5.2.0-8+etch13_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sean Finney <[EMAIL PROTECTED]> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 30 Sep 2008 20:19:42 +0200
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc php5-pspell libapache2-mod-php5
php5-xsl php5-cgi php-pear php5-tidy php5-pgsql php5-cli php5-recode php5-mhash
php5-sybase php5-curl php5-odbc php5-mcrypt php5-mysql php5-common php5-imap
php5-snmp php5-dev php5-sqlite libapache-mod-php5 php5-interbase
Architecture: source amd64 all
Version: 5.2.0-8+etch13
Distribution: stable-security
Urgency: high
Maintainer: Debian PHP Maintainers <[EMAIL PROTECTED]>
Changed-By: Sean Finney <[EMAIL PROTECTED]>
Description:
libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3
module)
libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 2
module)
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (meta-package)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dev - Files for PHP5 module development
php5-gd - GD module for php5
php5-imap - IMAP module for php5
php5-interbase - interbase/firebird module for php5
php5-ldap - LDAP module for php5
php5-mcrypt - MCrypt module for php5
php5-mhash - MHASH module for php5
php5-mysql - MySQL module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-pspell - pspell module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-tidy - tidy module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 499987 499988 499989
Changes:
php5 (5.2.0-8+etch13) stable-security; urgency=high
.
* Upload to etch for security issues
* The following security issues are addressed with this update:
- CVE-2008-3658: Buffer overflow in the imageloadfont function.
Patch: 140-CVE-2008-3658.patch (closes: #499989)
- CVE-2008-3659: Buffer overflow in the memnstr function.
Patch: 139-CVE-2008-3659.patch (closes: #499988)
- CVE-2008-3660: Remote DoS in fastcgi module
Patch: CVE-2008-3660.patch (closes: #499987)
* Revert previous security patch for CVE-2008-2829. A fix for this
will not be possible without an updated version of the UW c-client
libraries.
Files:
8ba966963b8c4b37ea56d0cef80e7039 1978 web optional php5_5.2.0-8+etch13.dsc
10f6d3ac9ecccb7373f40c0d99cdf43f 121493 web optional
php5_5.2.0-8+etch13.diff.gz
9e1a1da6055242b0d001f4c9ff0b1f7d 218156 web optional
php5-common_5.2.0-8+etch13_amd64.deb
52db652f6553a9d85e20a5f02675a6f5 2510644 web optional
libapache-mod-php5_5.2.0-8+etch13_amd64.deb
5590d5644b1cbbcbb1c96c06b387d605 2511216 web optional
libapache2-mod-php5_5.2.0-8+etch13_amd64.deb
c2d801cdaf7781dc896faf04a5105d3f 4864388 web optional
php5-cgi_5.2.0-8+etch13_amd64.deb
67b28d07935c3d1f5360b5e1bbe5a8c1 2452484 web optional
php5-cli_5.2.0-8+etch13_amd64.deb
5bc06af75f92bdc8003100ec6d9d3431 345886 devel optional
php5-dev_5.2.0-8+etch13_amd64.deb
c6636b1548c75a08102f51db0d527c00 24988 web optional
php5-curl_5.2.0-8+etch13_amd64.deb
5dd902475c072d734052582c6f7d2e85 37120 web optional
php5-gd_5.2.0-8+etch13_amd64.deb
eaaf935241a1563d73f81a6821a3167a 36718 web optional
php5-imap_5.2.0-8+etch13_amd64.deb
d319c606452d700520bc07b24d49a35e 46612 web optional
php5-interbase_5.2.0-8+etch13_amd64.deb
d9a29cf09beae75e0d3aac598c960ce3 18664 web optional
php5-ldap_5.2.0-8+etch13_amd64.deb
ef48390d507f03c8fc6d028f77f1c61b 13488 web optional
php5-mcrypt_5.2.0-8+etch13_amd64.deb
5b029983cc69277132bc6fb2e08695df 5256 web optional
php5-mhash_5.2.0-8+etch13_amd64.deb
5b90295ca27a76a4f92d15cb95595547 71658 web optional
php5-mysql_5.2.0-8+etch13_amd64.deb
273edb825157240950c36d0331836787 36404 web optional
php5-odbc_5.2.0-8+etch13_amd64.deb
d2331ea1c49360119dab7ad436b08105 53946 web optional
php5-pgsql_5.2.0-8+etch13_amd64.deb
dce351f52fd523687a9cd79e1fac9484 9400 web optional
php5-pspell_5.2.0-8+etch13_amd64.deb
82aba5bf571bb3baeadc877428e23c5a 4900 web optional
php5-recode_5.2.0-8+etch13_amd64.deb
497ad75dcae62d70eca61838b58674aa 12062 web optional
php5-snmp_5.2.0-8+etch13_amd64.deb
863ce9407e2bb11139a21a367e4dd9e3 38568 web optional
php5-sqlite_5.2.0-8+etch13_amd64.deb
f628b370883ff7550045487c310b8bf9 19436 web optional
php5-sybase_5.2.0-8+etch13_amd64.deb
586e2d9a90258e2748178c32e59bbd72 17568 web optional
php5-tidy_5.2.0-8+etch13_amd64.deb
594d974c37abc09838b2ae6aad029a40 39158 web optional
php5-xmlrpc_5.2.0-8+etch13_amd64.deb
72d9b79013abf3ce74a3c56fd90c1dc0 13030 web optional
php5-xsl_5.2.0-8+etch13_amd64.deb
f2233a4fe8d7bf941738e152a9f59871 1048 web optional php5_5.2.0-8+etch13_all.deb
0073d8cd1e953316e18a1ebdf4131c13 312520 web optional
php-pear_5.2.0-8+etch13_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI5Hz5ynjLPm522B0RAq7yAJ0QQmquH5ILBRWDjIG51fRpyic+/QCZAW5O
Ja88pg1UGvwxloh9Jg6RZLM=
=nwbW
-----END PGP SIGNATURE-----
--- End Message ---
