Re: Debian PHP upgrade

2015-03-31 Thread Andile Ntebe 
Hi Philip

Thank you very much for your response.

Regards




On 2015/03/25, 4:28 PM, "Philip Hands"  wrote:

>Andile Ntebe  writes:
>
>> Hi
>>
>> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>>
>> The below vulnerabilities seem to affect this version:
>
>You seem not to have noticed that Debian fixes security issues in stable
>versions of our packages, so you're comparing the version that Apache
>would tell you is vulnerable without noticing the faxes that have been
>applied since then by the Debian security team.
>
>I suggest that you take your list of CVEs and see if any of them are not
>mentioned as having been fixed in the Debian changelog:
>
>  
> http://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13+deb7u4_changelog
>
>(I'm guessing that if you've been upgrading as hard as you can, and
>still have 2.2.22 then you're using Debian 7, a.k.a "wheezy" -- look in
>/etc/debian_version where you should see "7.8")
>
>Anyway, you need to note that the Debian version of Apache that you are
>running is not 2.2.22, but rather 2.2.22-13+deb7u4, so that is the 13th
>version of the package that's been built by the package maintainer, many
>of which added fixed for CVEs, taking us to version 2.2.22-13, followed
>by four more uploads that backport fixes to Debian 7  (deb7u1..deb7u4)
>each of which adds more CVE fixes.
>
>Upgrading to the latest version of something to fix security bugs
>carries with it the potential to introduce new unexpected behaviours,
>and that may result in things breaking, which is why we backport
>security fixes instead of just asking everyone to upgrade and hoping for
>the best.
>
>...
>> Is there a way for us to update to the latest version?
>
>There certainly is -- you can choose to run our testing or unstable
>branches, rather than stable, but hopefully now you know why you should
>not be fretting about this.
>
>Cheers, Phil.
>--
>|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
>|-|  http://www.hands.com/http://ftp.uk.debian.org/
>|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY

Re: Debian PHP upgrade

2015-03-31 Thread Andile Ntebe 
Hi Florian

Here you go:

http://httpd.apache.org/security/vulnerabilities_22.html


Regards




On 2015/03/28, 10:42 PM, "Florian Weimer"  wrote:

>* Andile Ntebe:
>
>> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>>
>> The below vulnerabilities seem to affect this version:
>
>Hi Andile,
>
>Where did you get this list?
>
>Thanks,
>Florian
>

Re: Debian PHP upgrade

2015-03-31 Thread Florian Weimer 
* Andile Ntebe:

> On 2015/03/28, 10:42 PM, "Florian Weimer"  wrote:
>
>>* Andile Ntebe:
>>
>>> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>>>
>>> The below vulnerabilities seem to affect this version:
>>
>>Hi Andile,
>>
>>Where did you get this list?

> Here you go:
>
> http://httpd.apache.org/security/vulnerabilities_22.html

Okay, as others have already told you, this list does not apply to the
Apache httpd packages as shipped by Debian because the relevant fixes
have been applied.


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87iodhuyis@mid.deneb.enyo.de

Re: Debian PHP upgrade

2015-03-28 Thread Florian Weimer 
* Andile Ntebe:

> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>
> The below vulnerabilities seem to affect this version:

Hi Andile,

Where did you get this list?

Thanks,
Florian


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/87384odfbq@mid.deneb.enyo.de

Re: Debian PHP upgrade

2015-03-25 Thread Philip Hands 
Andile Ntebe  writes:

> Hi
>
> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>
> The below vulnerabilities seem to affect this version:

You seem not to have noticed that Debian fixes security issues in stable
versions of our packages, so you're comparing the version that Apache
would tell you is vulnerable without noticing the faxes that have been
applied since then by the Debian security team.

I suggest that you take your list of CVEs and see if any of them are not
mentioned as having been fixed in the Debian changelog:

  
http://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13+deb7u4_changelog

(I'm guessing that if you've been upgrading as hard as you can, and
still have 2.2.22 then you're using Debian 7, a.k.a "wheezy" -- look in
/etc/debian_version where you should see "7.8")

Anyway, you need to note that the Debian version of Apache that you are
running is not 2.2.22, but rather 2.2.22-13+deb7u4, so that is the 13th
version of the package that's been built by the package maintainer, many
of which added fixed for CVEs, taking us to version 2.2.22-13, followed
by four more uploads that backport fixes to Debian 7  (deb7u1..deb7u4)
each of which adds more CVE fixes.

Upgrading to the latest version of something to fix security bugs
carries with it the potential to introduce new unexpected behaviours,
and that may result in things breaking, which is why we backport
security fixes instead of just asking everyone to upgrade and hoping for
the best.

...
> Is there a way for us to update to the latest version?

There certainly is -- you can choose to run our testing or unstable
branches, rather than stable, but hopefully now you know why you should
not be fretting about this.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,GERMANY


signature.asc
Description: PGP signature

Re: Debian PHP upgrade

2015-03-25 Thread Andile Ntebe 
Debian 7.6

All the CVEs for Apache 2.2.22




On 2015/03/25, 1:53 PM, "Paul Wise"  wrote:

>On Wed, Mar 25, 2015 at 7:22 PM, Andile Ntebe wrote:
>
>> We have Apache/2.2.22 on our Debian boxes.
>
>Which Debian version number?
>
>> Ive tried using apt-get update and apt-get upgrade to try and get us onto 
>> the latest version but with no success. Is there any other way that we could 
>> get Apache updated?
>
>Which CVEs are you looking to get fixed? You can lookup their status
>and which Debian package versions fix them in the Debian security
>tracker:
>
>https://security-tracker.debian.org/
>
>--
>bye,
>pabs
>
>https://wiki.debian.org/PaulWise
>

Re: Debian PHP upgrade

2015-03-25 Thread Paul Wise 
On Wed, Mar 25, 2015 at 9:37 PM, Andile Ntebe wrote:

> The below vulnerabilities seem to affect this version:

BTW:

Please install debsecan to determine which packages have unfixed
security issues or available security issues:

https://wiki.debian.org/DebianSecurity/debsecan

Please install debian-security-support to determine which packages do
not receive security support from the Debian security team, but may
receive fixes from individual maintainers.

https://packages.debian.org/debian-security-support

If you would like to help us track, find, fix and mitigate security
issues in Debian, please take a look at these pages:

https://security-tracker.debian.org/tracker/data/report
https://www.debian.org/security/audit/
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#bug-security
https://wiki.debian.org/Hardening
https://wiki.debian.org/Hardening/Goals

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAKTje6G=heajh0howgs5m-fxaryrkdkrukqpczhpqpa3-+o...@mail.gmail.com

Re: Debian PHP upgrade

2015-03-25 Thread Frederic Peters 
Hi Andile,


> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
> 
> The below vulnerabilities seem to affect this version:
> 
> CVE-2014-0231 
> ...

As Paul noted earlier, you can use https://security-tracker.debian.org/
to look for particular CVE; for exemple you'll get this one at:

  https://security-tracker.debian.org/tracker/CVE-2014-0231

And you will note it's been fixed.


The Debian security policy is to get the fix in the existing versions,
to minimise changes and reduce the risks of unexpected changes; that
is why you will see older version numbers in Debian.  That doesn't
mean the security issues are not fixed.

You can read more about this point, and other aspects of security in
Debian, in the security FAQ:

  http://www.debian.org/security/faq.en.html#oldversion


Regards,

Fred


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150325140920.ga3...@0d.be

Re: Debian PHP upgrade

2015-03-25 Thread Andrew Shadura 
Andile,

On 25 March 2015 at 14:37, Andile Ntebe  wrote:
> Hi
>
> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>
> The below vulnerabilities seem to affect this version:

If you read the changelog to the latest version available in stable,
you'll find answers to all of your questions:
http://metadata.ftp-master.debian.org/changelogs//main/a/apache2/apache2_2.2.22-13+deb7u4_changelog

Citing the very beginning of it:

apache2 (2.2.22-13+deb7u4) wheezy; urgency=medium

  * CVE-2013-5704: …
  …

 -- Stefan Fritsch   Tue, 23 Dec 2014 23:44:24 +0100

apache2 (2.2.22-13+deb7u3) wheezy-security; urgency=high

  * CVE-2014-0226: …
  * CVE-2014-0231: …
  * CVE-2014-0118: …

 -- Stefan Fritsch   Wed, 23 Jul 2014 23:53:24 +0200

As you see, our security team is working very well.

-- 
Cheers,
  Andrew


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/cacujmdplrz-qtwergggkbnuj0g3a9cbcvt9j2o5hrk1hl7x...@mail.gmail.com

Re: Debian PHP upgrade

2015-03-25 Thread Paul Wise 
On Wed, Mar 25, 2015 at 9:37 PM, Andile Ntebe wrote:

> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>
> The below vulnerabilities seem to affect this version:
> Is there a way for us to update to the latest version?

All of the CVEs you referenced either do not apply to or are fixed in
Debian wheezy's version of Apache 2.2.22:

https://security-tracker.debian.org/tracker/CVE-2012-0883
https://security-tracker.debian.org/tracker/CVE-2012-2687
https://security-tracker.debian.org/tracker/CVE-2012-3499
https://security-tracker.debian.org/tracker/CVE-2012-4558
https://security-tracker.debian.org/tracker/CVE-2013-1862
https://security-tracker.debian.org/tracker/CVE-2013-1896
https://security-tracker.debian.org/tracker/CVE-2013-5704
https://security-tracker.debian.org/tracker/CVE-2013-6438
https://security-tracker.debian.org/tracker/CVE-2014-0098
https://security-tracker.debian.org/tracker/CVE-2014-0118
https://security-tracker.debian.org/tracker/CVE-2014-0226
https://security-tracker.debian.org/tracker/CVE-2014-0231

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAKTje6HpZ1QS+scY�CdNkznaxL=OTCGEUFDG3To=qnx3s...@mail.gmail.com

Re: Debian PHP upgrade

2015-03-25 Thread Andile Ntebe 
Hi

Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.

The below vulnerabilities seem to affect this version:

CVE-2014-0231 

CVE-2013-5704 




CVE-2014-0118 

CVE-2014-0226 

CVE-2014-0098 

CVE-2013-6438 

CVE-2013-1862 

CVE-2013-1896 

CVE-2012-3499 

CVE-2012-4558 

CVE-2012-2687 

CVE-2012-0883 


Is there a way for us to update to the latest version?

Regards

On 2015/03/25, 1:48 PM, "Adam D. Barratt"  wrote:

>On 2015-03-25 11:22, Andile Ntebe wrote:
>> We have Apache/2.2.22 on our Debian boxes.
>>
>> Ive tried using apt-get update and apt-get upgrade to try and get us
>> onto the latest version but with no success. Is there any other way
>> that we could get Apache updated?
>
>I have to admit I'm confused at this point.
>
>Gareth started by asking about a PHP vulnerability and you are now
>discussing an upgrade to Apache. Please could you confirm exactly which
>vulnerability in which package you believe isn't fixed in which Debian
>package, so that someone can help determine the status?
>
>Regards,
>
>Adam
>

Re: Debian PHP upgrade

2015-03-25 Thread Paul Wise 
On Wed, Mar 25, 2015 at 7:22 PM, Andile Ntebe wrote:

> We have Apache/2.2.22 on our Debian boxes.

Which Debian version number?

> Ive tried using apt-get update and apt-get upgrade to try and get us onto the 
> latest version but with no success. Is there any other way that we could get 
> Apache updated?

Which CVEs are you looking to get fixed? You can lookup their status
and which Debian package versions fix them in the Debian security
tracker:

https://security-tracker.debian.org/

-- 
bye,
pabs

https://wiki.debian.org/PaulWise


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/CAKTje6Gk5Tq-QmrWGSd29ZOniinSFPQhz2zBUUqGW1U=g3f...@mail.gmail.com

Re: Debian PHP upgrade

2015-03-25 Thread Adam D. Barratt 

On 2015-03-25 11:22, Andile Ntebe wrote:

We have Apache/2.2.22 on our Debian boxes.

Ive tried using apt-get update and apt-get upgrade to try and get us
onto the latest version but with no success. Is there any other way
that we could get Apache updated?


I have to admit I'm confused at this point.

Gareth started by asking about a PHP vulnerability and you are now 
discussing an upgrade to Apache. Please could you confirm exactly which 
vulnerability in which package you believe isn't fixed in which Debian 
package, so that someone can help determine the status?


Regards,

Adam


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/2095e7c6881ef0fac1aa48cb396f4...@mowgli.jungle.funky-badger.org

Re: Debian PHP upgrade

2015-03-25 Thread Andile Ntebe 
Hi Adam

How are you?

We have Apache/2.2.22 on our Debian boxes.

Ive tried using apt-get update and apt-get upgrade to try and get us onto the 
latest version but with no success. Is there any other way that we could get 
Apache updated?

Please let me know.

Regards


On 2015/03/25, 10:10 AM, "Adam D. Barratt"  wrote:

>On 2015-03-25 7:12, Gareth Webb wrote:
>> Passive-aggressive?
>> I was merely asking from a security perspective
>
>I assume Ondřej was referring to "if we need to move over to a new
>distribution that has this updated version of PHP". That's a fairly
>strong opening gambit for "merely asking", particularly given how little
>information you provided in your original message.
>
>(It's also fairly irrelevant when raising the question on debian-devel,
>because you're free to use whatever distribution you wish already and
>whether you decide to move or not has no bearing on when a particular
>bug may or may not be fixed.)
>
>Regards,
>
>Adam
>





default.vnd.ms-officetheme
Description: default.vnd.ms-officetheme

RE: Debian PHP upgrade

2015-03-25 Thread Gareth Webb 
No worries I understand :)

Andile (copied in) is our security except he will confirm the information for 
you.
Thanks for your assistance.





-Original Message-
From: Adam D. Barratt [mailto:a...@adam-barratt.org.uk] 
Sent: Wednesday, March 25, 2015 10:10 AM
To: Gareth Webb
Cc: Ondřej Surý; Salvatore Bonaccorso; debian-devel@lists.debian.org; Andile 
Ntebe
Subject: RE: Debian PHP upgrade

On 2015-03-25 7:12, Gareth Webb wrote:
> Passive-aggressive?
> I was merely asking from a security perspective

I assume Ondřej was referring to "if we need to move over to a new distribution 
that has this updated version of PHP". That's a fairly strong opening gambit 
for "merely asking", particularly given how little information you provided in 
your original message.

(It's also fairly irrelevant when raising the question on debian-devel, because 
you're free to use whatever distribution you wish already and whether you 
decide to move or not has no bearing on when a particular bug may or may not be 
fixed.)

Regards,

Adam

RE: Debian PHP upgrade

2015-03-25 Thread Adam D. Barratt 

On 2015-03-25 7:12, Gareth Webb wrote:

Passive-aggressive?
I was merely asking from a security perspective


I assume Ondřej was referring to "if we need to move over to a new 
distribution that has this updated version of PHP". That's a fairly 
strong opening gambit for "merely asking", particularly given how little 
information you provided in your original message.


(It's also fairly irrelevant when raising the question on debian-devel, 
because you're free to use whatever distribution you wish already and 
whether you decide to move or not has no bearing on when a particular 
bug may or may not be fixed.)


Regards,

Adam


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/b6c9b41536487ba6807a2a9949f3e...@mowgli.jungle.funky-badger.org

RE: Debian PHP upgrade

2015-03-25 Thread Gareth Webb 
Passive-aggressive?
I was merely asking from a security perspective, I will provide you the 
information you seek shortly.

Have a lovely day, and great week





-Original Message-
From: Ondřej Surý [mailto:ond...@sury.org] 
Sent: Tuesday, March 24, 2015 5:45 PM
To: Salvatore Bonaccorso; Gareth Webb
Cc: debian-devel@lists.debian.org
Subject: Re: Debian PHP upgrade

On Mon, Mar 23, 2015, at 08:59, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, Mar 23, 2015 at 06:58:10AM +, Gareth Webb wrote:
> > I would like to know when Debian will be releasing the next version 
> > of PHP? Currently there is a known security vulnerability in the 
> > current version of Debian, we not sure if we should wait for Debian 
> > to update it or if we need to move over to a new distribution that 
> > has this updated version of PHP?
> 
> Could you specify to which security vulnerability you are referring?
> We track the currently known CVEs for php5 in
> 
> https://security-tracker.debian.org/tracker/source-package/php5
> 
> and there was a recent DSA for php5:
> 
> https://www.debian.org/security/2015/dsa-3198

Also specifying the Debian release you are using would be helpful instead of 
that passive-aggressive attitude in your initial email...

Not to mention the question would be better targeted to Debian PHP maintainers 
instead of debian-devel - the mailing list for Development of Debian.

Cheers,
--
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Re: Debian PHP upgrade

2015-03-24 Thread Ondřej Surý 
On Mon, Mar 23, 2015, at 08:59, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, Mar 23, 2015 at 06:58:10AM +, Gareth Webb wrote:
> > I would like to know when Debian will be releasing the next version
> > of PHP? Currently there is a known security vulnerability in the
> > current version of Debian, we not sure if we should wait for Debian
> > to update it or if we need to move over to a new distribution that
> > has this updated version of PHP?
> 
> Could you specify to which security vulnerability you are referring?
> We track the currently known CVEs for php5 in
> 
> https://security-tracker.debian.org/tracker/source-package/php5
> 
> and there was a recent DSA for php5:
> 
> https://www.debian.org/security/2015/dsa-3198

Also specifying the Debian release you are using would be helpful
instead of that passive-aggressive attitude in your initial email...

Not to mention the question would be better targeted to Debian PHP
maintainers instead of debian-devel - the mailing list for Development
of Debian.

Cheers,
-- 
Ondřej Surý 
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server


--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1427211878.4170159.244603634.39fb1...@webmail.messagingengine.com

Re: Debian PHP upgrade

2015-03-23 Thread Salvatore Bonaccorso 
Hi,

On Mon, Mar 23, 2015 at 06:58:10AM +, Gareth Webb wrote:
> I would like to know when Debian will be releasing the next version
> of PHP? Currently there is a known security vulnerability in the
> current version of Debian, we not sure if we should wait for Debian
> to update it or if we need to move over to a new distribution that
> has this updated version of PHP?

Could you specify to which security vulnerability you are referring?
We track the currently known CVEs for php5 in

https://security-tracker.debian.org/tracker/source-package/php5

and there was a recent DSA for php5:

https://www.debian.org/security/2015/dsa-3198

Regards,
Salvatore


-- 
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150323075942.ga29...@lorien.valinor.li

Debian PHP upgrade

2015-03-23 Thread Gareth Webb 
Hi

I would like to know when Debian will be releasing the next version of PHP? 
Currently there is a known security vulnerability in the current version of 
Debian, we not sure if we should wait for Debian to update it or if we need to 
move over to a new distribution that has this updated version of PHP?

thanks

acceleration
GARETH WEBB
IT OPERATIONS MANAGER

2nd floor Longkloof Studios
Darters Road Gardens
Cape Town 8000
C +27 83 574 4004
T +27 21 487 1026
F +27 86 230 0559
Twitter
LinkedIn
Google +



www.acceleration.biz