Your message dated Tue, 19 Sep 2006 09:29:12 +0200
with message-id <[EMAIL PROTECTED]>
and subject line application issue, not php issue
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: php5
Severity: important
Tags: security
CVE-2006-4023:
The ip2long function in PHP 5.1.4 and earlier may incorrectly validate
an arbitrary string and return a valid network IP address, which
allows remote attackers to obtain network information and facilitate
other attacks, as demonstrated using SQL injection in the
X-FORWARDED-FOR Header in index.php in MiniBB 2.0. NOTE: it could be
argued that the ip2long behavior represents a risk for
security-relevant issues in a way that is similar to strcpy's role in
buffer overflows, in which case this would be a class of
implementation bugs that would require separate CVE items for each PHP
application that uses ip2long in a security-relevant manner.
I am not sure whether this has to be fixed in php or the applications.
Please check.
--- End Message ---
--- Begin Message ---
hey stefan,
the agreement via the security team was that this was an implementation
issue, not a php issue. thus, if any other packages in debian use
ip2long we should verify that they are not vulnerable to such an attack,
but in the meantime php shouldn't be considered vulnerable.
thanks,
sean
signature.asc
Description: This is a digitally signed message part
--- End Message ---
