Package: php5 Version: 5.4.2-1 Severity: important Tags: security http://seclists.org/oss-sec/2012/q2/249
quote: Hi, I guess most of you have heard of this one already, yet it should be in here as well. The original issue was tracked as CERT VU#520827, CVE-2012-1823. PHP 5.4.2 and 5.3.12 were released with an incomplete fix, and apparently CVE-2012-2311 refers to that incomplete fix issue. http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html http://www.kb.cert.org/vuls/id/520827 http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/ http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/ http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian) Alexander -- System Information: Debian Release: 6.0.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages php5 depends on: ii libapache2-mod-php5 5.3.3-7+squeeze8 server-side, HTML-embedded scripti ii php5-cgi 5.3.3-7+squeeze8 server-side, HTML-embedded scripti ii php5-common 5.3.3-7+squeeze8 Common files for packages built fr php5 recommends no packages. php5 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
