Your message dated Fri, 03 Nov 2006 06:18:11 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#396766: fixed in php5 5.1.6-6
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
package: php5
severity: critical
tags: security
From http://secunia.com/advisories/22653/ :
"Some vulnerabilities have been reported in PHP, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.
The vulnerabilities are caused due to boundary errors within
the "htmlentities()" and "htmlspecialchars()" functions. If a PHP
application uses these functions to process user-supplied input, this
can be exploited to cause buffer overflows by passing specially
crafted data to the affected application.
Successful exploitation may allow execution of arbitrary code."
Since htmlentities() and htmlspecialchars() are frequently used on
user input, this seems quite severe to me.
--- End Message ---
--- Begin Message ---
Source: php5
Source-Version: 5.1.6-6
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:
libapache-mod-php5_5.1.6-6_i386.deb
to pool/main/p/php5/libapache-mod-php5_5.1.6-6_i386.deb
libapache2-mod-php5_5.1.6-6_i386.deb
to pool/main/p/php5/libapache2-mod-php5_5.1.6-6_i386.deb
php-pear_5.1.6-6_all.deb
to pool/main/p/php5/php-pear_5.1.6-6_all.deb
php5-cgi_5.1.6-6_i386.deb
to pool/main/p/php5/php5-cgi_5.1.6-6_i386.deb
php5-cli_5.1.6-6_i386.deb
to pool/main/p/php5/php5-cli_5.1.6-6_i386.deb
php5-common_5.1.6-6_i386.deb
to pool/main/p/php5/php5-common_5.1.6-6_i386.deb
php5-curl_5.1.6-6_i386.deb
to pool/main/p/php5/php5-curl_5.1.6-6_i386.deb
php5-dev_5.1.6-6_i386.deb
to pool/main/p/php5/php5-dev_5.1.6-6_i386.deb
php5-gd_5.1.6-6_i386.deb
to pool/main/p/php5/php5-gd_5.1.6-6_i386.deb
php5-ldap_5.1.6-6_i386.deb
to pool/main/p/php5/php5-ldap_5.1.6-6_i386.deb
php5-mhash_5.1.6-6_i386.deb
to pool/main/p/php5/php5-mhash_5.1.6-6_i386.deb
php5-mysql_5.1.6-6_i386.deb
to pool/main/p/php5/php5-mysql_5.1.6-6_i386.deb
php5-mysqli_5.1.6-6_i386.deb
to pool/main/p/php5/php5-mysqli_5.1.6-6_i386.deb
php5-odbc_5.1.6-6_i386.deb
to pool/main/p/php5/php5-odbc_5.1.6-6_i386.deb
php5-pgsql_5.1.6-6_i386.deb
to pool/main/p/php5/php5-pgsql_5.1.6-6_i386.deb
php5-recode_5.1.6-6_i386.deb
to pool/main/p/php5/php5-recode_5.1.6-6_i386.deb
php5-snmp_5.1.6-6_i386.deb
to pool/main/p/php5/php5-snmp_5.1.6-6_i386.deb
php5-sqlite_5.1.6-6_i386.deb
to pool/main/p/php5/php5-sqlite_5.1.6-6_i386.deb
php5-sybase_5.1.6-6_i386.deb
to pool/main/p/php5/php5-sybase_5.1.6-6_i386.deb
php5-xmlrpc_5.1.6-6_i386.deb
to pool/main/p/php5/php5-xmlrpc_5.1.6-6_i386.deb
php5-xsl_5.1.6-6_i386.deb
to pool/main/p/php5/php5-xsl_5.1.6-6_i386.deb
php5_5.1.6-6.diff.gz
to pool/main/p/php5/php5_5.1.6-6.diff.gz
php5_5.1.6-6.dsc
to pool/main/p/php5/php5_5.1.6-6.dsc
php5_5.1.6-6_all.deb
to pool/main/p/php5/php5_5.1.6-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
OndÅej Surý <[EMAIL PROTECTED]> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 3 Nov 2006 12:32:50 +0100
Source: php5
Binary: php5-mysqli php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5
php5-xsl php5-cgi php-pear php5-pgsql php5-cli php5-recode php5-mhash
php5-sybase php5-curl php5-odbc php5-mysql php5-common php5-snmp php5-dev
php5-sqlite libapache-mod-php5
Architecture: source i386 all
Version: 5.1.6-6
Distribution: unstable
Urgency: high
Maintainer: OndÅej Surý <[EMAIL PROTECTED]>
Changed-By: OndÅej Surý <[EMAIL PROTECTED]>
Description:
libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3
module)
libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache
2.0 module)
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (meta-package)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dev - Files for PHP5 module development
php5-gd - GD module for php5
php5-ldap - LDAP module for php5
php5-mhash - MHASH module for php5
php5-mysql - MySQL module for php5
php5-mysqli - MySQL Improved module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 396766
Changes:
php5 (5.1.6-6) unstable; urgency=high
.
[ sean finney ]
* add notes to php.ini(-dist) about "unsupported" security features.
patch: 113-php.ini_securitynotes.patch
.
[ OndÅej Surý ]
* SECURITY: include patch for html buffer overflows in ext/standard/html.c
Reference: CVE-2006-5465
Patch: 114-CVE-2006-5465_htmlentities.patch
Closes: #396766
Files:
d3b3d614d7b0ca0414a6c530196642ea 1800 web optional php5_5.1.6-6.dsc
50b343502dcb83341d92b25eed75edd7 91264 web optional php5_5.1.6-6.diff.gz
9763e5ce0d072cc96455156e87de7d74 167444 web optional
php5-common_5.1.6-6_i386.deb
320b456cb710216b28531d99c95cd085 2335972 web optional
libapache-mod-php5_5.1.6-6_i386.deb
22ded97048a35fe751c24e728cd0a0db 2336044 web optional
libapache2-mod-php5_5.1.6-6_i386.deb
2f116530dd4272742f853c72a92999c2 4614356 web optional php5-cgi_5.1.6-6_i386.deb
555544f125b9ad42e8c108819276b60c 2327542 web optional php5-cli_5.1.6-6_i386.deb
6ed0a6ced5c1da9b534e22e03bef1b0d 316472 devel optional
php5-dev_5.1.6-6_i386.deb
24e1a0ce8ce98f62c3fd136cec432390 21812 web optional php5-curl_5.1.6-6_i386.deb
b0bead4b55e0839b612f31b2cf71f3e3 31170 web optional php5-gd_5.1.6-6_i386.deb
6c7f559cd2d481e093825e1278cee4b5 17200 web optional php5-ldap_5.1.6-6_i386.deb
47265b8c4320a9b4e981a3dee8e6419f 5030 web optional php5-mhash_5.1.6-6_i386.deb
fdc55c9ee3a9772c2f866e198014759e 19808 web optional php5-mysql_5.1.6-6_i386.deb
618875855578071cca52e412f201334a 36482 web optional
php5-mysqli_5.1.6-6_i386.deb
c73465e3f0216360be65ef48f5e631e4 25074 web optional php5-odbc_5.1.6-6_i386.deb
acb299265b338439db43c91c5acba956 38880 web optional php5-pgsql_5.1.6-6_i386.deb
27a66eb97d26ff5310134b51bef0b8b3 4744 web optional php5-recode_5.1.6-6_i386.deb
a6c99ccadc330528e62eee41fee24e93 11132 web optional php5-snmp_5.1.6-6_i386.deb
009bd92ce498b1854799bde96ddc0946 23486 web optional
php5-sqlite_5.1.6-6_i386.deb
3332a76e4a2d6ec74649e85889d6b3cf 18298 web optional
php5-sybase_5.1.6-6_i386.deb
1d32df850a01c6923663b27b96af0c45 36346 web optional
php5-xmlrpc_5.1.6-6_i386.deb
7be9670700a5154395dc3a47d070afbd 12134 web optional php5-xsl_5.1.6-6_i386.deb
973244b7d0752f52acd00d0aa8689230 1038 web optional php5_5.1.6-6_all.deb
2c7d63048829595126e656f47a2f7836 305612 web optional php-pear_5.1.6-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFS0sy9OZqfMIN8nMRAjR+AJwKUWRImUIIJmKh5GCfV7tF6hmCMwCfQ8az
S6Gld+/1pNVZrJRkpOmfu2c=
=ZT9D
-----END PGP SIGNATURE-----
--- End Message ---