Your message dated Wed, 24 Mar 2010 20:20:17 +0000 (WET)
with message-id <[email protected]>
and subject line Package php4 has been removed from Debian
has caused the Debian Bug report #499994,
regarding CVE-2008-3659: Buffer overflow in the memnstr function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
499994: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499994
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: php5
Version: 5.2.6-3
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
via http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3659:
Buffer overflow in the memnstr function in PHP 4.4.x before 4.4.9 and PHP
5.6 through 5.2.6 allows context-dependent attackers to cause a denial
of service (crash) and possibly execute arbitrary code via the delimiter
argument to the explode function. NOTE: the scope of this issue is limited
since most applications would not use an attacker-controlled delimiter,
but local attacks against safe_mode are feasible.
while the attack vector may be somewhat limited, apparently this vector
is actually used in practice by a number of apps, so we should include
the patch (well we in fact have already incorporated it into the svn
repo, but it has not yet been released):
http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_operators.h?r1=1.94.2.4.2.11&r2=1.94.2.4.2.12&view=patch
sean
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.2.6-3 server-side, HTML-embedded scripti
ii php5-cgi 5.2.6-3 server-side, HTML-embedded scripti
ii php5-common 5.2.6-3 Common files for packages built fr
php5 recommends no packages.
php5 suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI2eAtynjLPm522B0RAon9AJ9BaYTEx909jJMUGrl8RS1YxjxUkgCfbdfH
RHer27eJlWdu5BMJCLTzEUw=
=facc
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Version: 6:4.4.6-2+rm
You filed the bug http://bugs.debian.org/499994 in Debian BTS
against the package php4. I'm closing it at *unstable*, but it will
remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/428266. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
--- End Message ---
