[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
I'm sorry for whining to the people who are subscribed to and care about this bug, but over 2 months since the release of a package with 3 claimed remotely exploitable code injection bugs makes me VERY hesitant to ever recommend Ubuntu for server use ever again. By this time even the slow moving redhat has updated and Ubuntu doesn't even have a package in -proposed. It seems all the hard work was completed over a month ago, and sits in Tormod Volden PPA, with no action since. As far as I can tell, everything else is political will. If there is no more forward, I will have to start explaining to the world how broken Ubuntu's security updating strategy is. I would prefer to put my effort in something more useful then being the squeaky wheel, and will take all suggestions of how I can help. I prefer action over complaining any day ;-) -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
Impact: Fixed possible stack buffer overflow in FastCGI SAPI Impact:Potential DOS and remote code execution if using FastCGI Updated PCRE to deal with issues fixed in USN-581-1 Impact:potential DOS and code execution Fixes CVE-2008-0599 Impact:Potential DOS and remote code execution Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. Impact: Potential overwriting of system files if cURL is in use POC code in the advisory: http://securityreason.com/achievement_securityalert/51 Properly address incomplete multibyte chars inside escapeshellcmd() Impact: If I understand correctly, useful for bypassing character based filtering, leading to remotely running arbitrary commands on the shell -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 227464] Re: PHP 5.2.6 fixes important security bugs
** Bug watch added: Debian Bug tracker #479723 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479723 ** Also affects: php5 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=479723 Importance: Unknown Status: Unknown -- PHP 5.2.6 fixes important security bugs https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 227464] Re: PHP 5.2.6 fixes important security bugs
Fix released in Debian onMay 11. Fixes are available both upstream in Debian and upstream in main package. How can I help move this bug along? -- PHP 5.2.6 fixes important security bugs https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 227464] [NEW] PHP 5.2.6 fixes important security bugs
*** This bug is a security vulnerability *** Public security bug reported: Binary package hint: php5 PHP 5.2.6 fixes important security bugs From the release log: Security Fixes * Fixed possible stack buffer overflow in FastCGI SAPI. (Andrei Nigmatulin) * Properly address incomplete multibyte chars inside escapeshellcmd() (Ilia, Stefan Esser) * Fixed security issue detailed in CVE-2008-0599. (Rasmus) * Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. (Ilia) * Upgraded PCRE to version 7.6 (Nuno) ** Affects: php5 (Ubuntu) Importance: Undecided Status: New ** Visibility changed to: Public ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-0599 -- PHP 5.2.6 fixes important security bugs https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs