Bug#323366: marked as done (SECURITY: XML::RPC remote code injections (CAN-2005-2498))

Fri, 16 Dec 2005 21:51:10 -0800 

Your message dated Fri, 16 Dec 2005 21:36:14 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#323366: fixed in php4 4:4.3.10-16
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 16 Aug 2005 09:36:24 +0000
>From [EMAIL PROTECTED] Tue Aug 16 02:36:24 2005
Return-path: <[EMAIL PROTECTED]>
Received: from office-gw.westend.com (xeniac.intern) [212.117.64.2] 
        by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
        id 1E4xrs-0001vv-00; Tue, 16 Aug 2005 02:36:24 -0700
Received: by xeniac.intern (Postfix, from userid 1000)
        id 0579F370005; Tue, 16 Aug 2005 11:36:22 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Christian Hammers <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: SECURITY: XML::RPC remote code injections (CAN-2005-2498)
X-Mailer: reportbug 3.8
Date: Tue, 16 Aug 2005 11:36:22 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Package: php4
Version: 4:4.3.10-15
Severity: grave
Tags: security

Hello

A security flaw in XML::RPC has become known. From the version numbers
it seems to affect Debian. (I did not check which distributions and packages
exactly though).

More information is available here:

        http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2498
        (not yet)


        Advisory: PEAR XML_RPC Remote PHP Code Injection Vulnerability
        Application: PEAR XML_RPC <= 1.3.3
        Severity: A malformed XMLRPC request can result in execution
                  of arbitrary injected PHP code
        References: http://www.hardened-php.net/advisory_142005.66.html


        Advisory: PHPXMLRPC Remote PHP Code Injection Vulnerability
        Application: PHPXMLRPC <= 1.1.1
        Severity: A malformed XMLRPC request can result in execution
                  of arbitrary injected PHP code
        References: http://www.hardened-php.net/advisory_152005.67.html

bye,

-christian-



-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (9999, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-15) (ignored: LC_ALL set 
to [EMAIL PROTECTED])

Versions of packages php4 depends on:
ii  libapache-mod-php4           4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-common                  4:4.3.10-15 Common files for packages built fr

-- debconf information excluded

---------------------------------------
Received: (at 323366-close) by bugs.debian.org; 17 Dec 2005 05:42:33 +0000
>From [EMAIL PROTECTED] Fri Dec 16 21:42:33 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
        id 1EnUju-0000pP-MX; Fri, 16 Dec 2005 21:36:14 -0800
From: Steve Langasek <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.17 $
Subject: Bug#323366: fixed in php4 4:4.3.10-16
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 16 Dec 2005 21:36:14 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 2

Source: php4
Source-Version: 4:4.3.10-16

We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:

libapache-mod-php4_4.3.10-16_i386.deb
  to pool/main/p/php4/libapache-mod-php4_4.3.10-16_i386.deb
libapache2-mod-php4_4.3.10-16_i386.deb
  to pool/main/p/php4/libapache2-mod-php4_4.3.10-16_i386.deb
php4-cgi_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-cgi_4.3.10-16_i386.deb
php4-cli_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-cli_4.3.10-16_i386.deb
php4-common_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-common_4.3.10-16_i386.deb
php4-curl_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-curl_4.3.10-16_i386.deb
php4-dev_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-dev_4.3.10-16_i386.deb
php4-domxml_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-domxml_4.3.10-16_i386.deb
php4-gd_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-gd_4.3.10-16_i386.deb
php4-imap_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-imap_4.3.10-16_i386.deb
php4-ldap_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-ldap_4.3.10-16_i386.deb
php4-mcal_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-mcal_4.3.10-16_i386.deb
php4-mhash_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-mhash_4.3.10-16_i386.deb
php4-mysql_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-mysql_4.3.10-16_i386.deb
php4-odbc_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-odbc_4.3.10-16_i386.deb
php4-pear_4.3.10-16_all.deb
  to pool/main/p/php4/php4-pear_4.3.10-16_all.deb
php4-recode_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-recode_4.3.10-16_i386.deb
php4-snmp_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-snmp_4.3.10-16_i386.deb
php4-sybase_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-sybase_4.3.10-16_i386.deb
php4-xslt_4.3.10-16_i386.deb
  to pool/main/p/php4/php4-xslt_4.3.10-16_i386.deb
php4_4.3.10-16.diff.gz
  to pool/main/p/php4/php4_4.3.10-16.diff.gz
php4_4.3.10-16.dsc
  to pool/main/p/php4/php4_4.3.10-16.dsc
php4_4.3.10-16_all.deb
  to pool/main/p/php4/php4_4.3.10-16_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <[EMAIL PROTECTED]> (supplier of updated php4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 24 Aug 2005 19:05:10 -0700
Source: php4
Binary: php4-cgi php4-sybase php4-recode libapache-mod-php4 php4-cli php4-dev 
libapache2-mod-php4 php4-snmp php4-odbc php4-xslt php4-mysql php4-domxml 
php4-gd php4-ldap php4-imap php4-common php4-curl php4 php4-pear php4-mcal 
php4-mhash
Architecture: source i386 all
Version: 4:4.3.10-16
Distribution: stable-security
Urgency: high
Maintainer: Adam Conrad <[EMAIL PROTECTED]>
Changed-By: Steve Langasek <[EMAIL PROTECTED]>
Description: 
 libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 
module)
 libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 
2.0 module)
 php4       - server-side, HTML-embedded scripting language (meta-package)
 php4-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php4-cli   - command-line interpreter for the php4 scripting language
 php4-common - Common files for packages built from the php4 source
 php4-curl  - CURL module for php4
 php4-dev   - Files for PHP4 module development
 php4-domxml - XMLv2 module for php4
 php4-gd    - GD module for php4
 php4-imap  - IMAP module for php4
 php4-ldap  - LDAP module for php4
 php4-mcal  - MCAL calendar module for php4
 php4-mhash - MHASH module for php4
 php4-mysql - MySQL module for php4
 php4-odbc  - ODBC module for php4
 php4-pear  - PEAR - PHP Extension and Application Repository
 php4-recode - Character recoding module for php4
 php4-snmp  - SNMP module for php4
 php4-sybase - Sybase / MS SQL Server module for php4
 php4-xslt  - XSLT module for php4
Closes: 316447 323366
Changes: 
 php4 (4:4.3.10-16) stable-security; urgency=high
 .
   Adam Conrad <[EMAIL PROTECTED]>:
   * Patch php4-dev's bundled shtool to use a temporary directory to resolve
     insecure temp file handling, reported in CAN-2005-1751 and CAN-2005-1759.
   * Patch PEAR after it has been installed in debian/php4-pear to resolve
     the XML-RPC vulnerability reported in CAN-2005-1921 (closes: #316447)
   * Backport changes by [EMAIL PROTECTED] and [EMAIL PROTECTED] to resolve 
another
     remote XML_RPC exploit, as reported in CAN-2005-2498 (closes: #323366)
Files: 
 e57b3e8e7f45104fbb11c833a57a53be 1686 web optional php4_4.3.10-16.dsc
 8a49871b1a36b26bb37c89115496aa23 278625 web optional php4_4.3.10-16.diff.gz
 74768ab0a62b20706266fc601c41b9df 167674 web optional 
php4-common_4.3.10-16_i386.deb
 38cc33f1a4c6a70af7f6749cdf9694f6 1614254 web optional 
libapache-mod-php4_4.3.10-16_i386.deb
 bda5e3087f3fa5a30aa7c61b0b959491 17904 web optional 
php4-curl_4.3.10-16_i386.deb
 6831728b5a0e67dd31df5194f3c8abcd 37242 web optional 
php4-domxml_4.3.10-16_i386.deb
 ab88aac36edc614390080e28979379e2 32396 web optional php4-gd_4.3.10-16_i386.deb
 53a185bcfe7a7fbb12549cfe2d866155 37378 web optional 
php4-imap_4.3.10-16_i386.deb
 cac07baa0ff4938c92b7ecd71085f820 19962 web optional 
php4-ldap_4.3.10-16_i386.deb
 bc8db965206e8cdc77a4127407d2af4c 17680 web optional 
php4-mcal_4.3.10-16_i386.deb
 68bf5a9ef56c0e7ce315a1c58d2d081c 8046 web optional 
php4-mhash_4.3.10-16_i386.deb
 17f84133fa9b36f5d64bfd05dd620998 21224 web optional 
php4-mysql_4.3.10-16_i386.deb
 3570b7f701d50ed2476c89addb1d73d6 27152 web optional 
php4-odbc_4.3.10-16_i386.deb
 e5dc6dd166607f3e9bd94321ecb6c51e 7712 web optional 
php4-recode_4.3.10-16_i386.deb
 998bae510bf391d8b94a3619df9e66dc 16402 web optional 
php4-xslt_4.3.10-16_i386.deb
 feeddae27dbfce70d62058e6cbe5476b 13156 web optional 
php4-snmp_4.3.10-16_i386.deb
 7251c8bf34e8021e701190812f535676 21384 web optional 
php4-sybase_4.3.10-16_i386.deb
 d651476ab8d3b5f6019e221fde718aba 3208880 web optional 
php4-cgi_4.3.10-16_i386.deb
 782899c50e02e31683263367bab3d27f 1609418 web optional 
php4-cli_4.3.10-16_i386.deb
 cc9fa332fb4a3bcf50e18fe7dfc30ce5 325322 devel optional 
php4-dev_4.3.10-16_i386.deb
 4a4aaabcccc850497c66ebacac23e627 1611958 web optional 
libapache2-mod-php4_4.3.10-16_i386.deb
 a280716fde4fd6d05dddeaff37a49d54 1148 web optional php4_4.3.10-16_all.deb
 0bca8d85163399f864cf13a1ac3f2884 250902 web optional 
php4-pear_4.3.10-16_all.deb
 73f5d1f42e34efa534a09c6091b5a21e 4892209 web optional php4_4.3.10.orig.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDDrizW5ql+IAeqTIRAjr4AJ0V5HkRaUQficdgExAVLO4/Hn7nzACeN7Ar
wA6AIBsQ4AdAZu+o93aE4lE=
=IYc4
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to