Bug#347894: marked as done (php5: Two security problems in PHP5)

Tue, 17 Jan 2006 23:33:18 -0800 

Your message dated Tue, 17 Jan 2006 23:17:12 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#347894: fixed in php5 5.1.2-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jan 2006 11:21:02 +0000
>From [EMAIL PROTECTED] Fri Jan 13 03:21:02 2006
Return-path: <[EMAIL PROTECTED]>
Received: from inutil.org ([193.22.164.111] 
helo=vserver151.vserver151.serverflex.de)
        by spohr.debian.org with esmtp (Exim 4.50)
        id 1ExMzO-0000Aw-3X
        for [EMAIL PROTECTED]; Fri, 13 Jan 2006 03:21:02 -0800
Received: from wlan-client-058.informatik.uni-bremen.de ([134.102.116.59] 
helo=localhost.localdomain)
        by vserver151.vserver151.serverflex.de with esmtpsa 
(TLS-1.0:RSA_AES_256_CBC_SHA:32)
        (Exim 4.50)
        id 1ExMzK-0001Wf-9D
        for [EMAIL PROTECTED]; Fri, 13 Jan 2006 12:20:58 +0100
Received: from jmm by localhost.localdomain with local (Exim 4.60)
        (envelope-from <[EMAIL PROTECTED]>)
        id 1ExMyZ-0001Zg-Na; Fri, 13 Jan 2006 12:20:11 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: php5: Two security problems in PHP5
Message-ID: <[EMAIL PROTECTED]>
X-Mailer: reportbug 3.18
Date: Fri, 13 Jan 2006 12:20:11 +0100
X-Debbugs-Cc: Debian Security Team <[EMAIL PROTECTED]>
X-SA-Exim-Connect-IP: 134.102.116.59
X-SA-Exim-Mail-From: [EMAIL PROTECTED]
X-SA-Exim-Scanned: No (on vserver151.vserver151.serverflex.de); SAEximRunCond 
expanded to false
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: php5
Severity: grave
Tags: security
Justification: user security hole

Two security problems have been found in PHP5. For details please see
http://www.hardened-php.net/advisory_012006.112.html
http://www.hardened-php.net/advisory_022006.113.html
 
PHP 4 is not affected, so this only affects testing and sid.

Cheers,
        Moritz
-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)

---------------------------------------
Received: (at 347894-close) by bugs.debian.org; 18 Jan 2006 07:20:42 +0000
>From [EMAIL PROTECTED] Tue Jan 17 23:20:42 2006
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
        id 1Ez7ZA-000585-Pc; Tue, 17 Jan 2006 23:17:12 -0800
From: Adam Conrad <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.65 $
Subject: Bug#347894: fixed in php5 5.1.2-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 17 Jan 2006 23:17:12 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
        autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: php5
Source-Version: 5.1.2-1

We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:

libapache-mod-php5_5.1.2-1_i386.deb
  to pool/main/p/php5/libapache-mod-php5_5.1.2-1_i386.deb
libapache2-mod-php5_5.1.2-1_i386.deb
  to pool/main/p/php5/libapache2-mod-php5_5.1.2-1_i386.deb
php-pear_5.1.2-1_all.deb
  to pool/main/p/php5/php-pear_5.1.2-1_all.deb
php5-cgi_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-cgi_5.1.2-1_i386.deb
php5-cli_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-cli_5.1.2-1_i386.deb
php5-common_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-common_5.1.2-1_i386.deb
php5-curl_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-curl_5.1.2-1_i386.deb
php5-dev_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-dev_5.1.2-1_i386.deb
php5-gd_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-gd_5.1.2-1_i386.deb
php5-ldap_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-ldap_5.1.2-1_i386.deb
php5-mhash_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-mhash_5.1.2-1_i386.deb
php5-mysql_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-mysql_5.1.2-1_i386.deb
php5-odbc_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-odbc_5.1.2-1_i386.deb
php5-pgsql_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-pgsql_5.1.2-1_i386.deb
php5-recode_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-recode_5.1.2-1_i386.deb
php5-snmp_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-snmp_5.1.2-1_i386.deb
php5-sqlite_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-sqlite_5.1.2-1_i386.deb
php5-sybase_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-sybase_5.1.2-1_i386.deb
php5-xmlrpc_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-xmlrpc_5.1.2-1_i386.deb
php5-xsl_5.1.2-1_i386.deb
  to pool/main/p/php5/php5-xsl_5.1.2-1_i386.deb
php5_5.1.2-1.diff.gz
  to pool/main/p/php5/php5_5.1.2-1.diff.gz
php5_5.1.2-1.dsc
  to pool/main/p/php5/php5_5.1.2-1.dsc
php5_5.1.2-1_all.deb
  to pool/main/p/php5/php5_5.1.2-1_all.deb
php5_5.1.2.orig.tar.gz
  to pool/main/p/php5/php5_5.1.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <[EMAIL PROTECTED]> (supplier of updated php5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 16 Jan 2006 16:12:31 +1100
Source: php5
Binary: php5-gd php5-ldap php5 php5-xmlrpc libapache2-mod-php5 php5-xsl 
php5-cgi php-pear php5-pgsql php5-cli php5-recode php5-mhash php5-sybase 
php5-curl php5-odbc php5-mysql php5-common php5-snmp php5-dev php5-sqlite 
libapache-mod-php5
Architecture: source i386 all
Version: 5.1.2-1
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <[EMAIL PROTECTED]>
Changed-By: Adam Conrad <[EMAIL PROTECTED]>
Description: 
 libapache-mod-php5 - server-side, HTML-embedded scripting language (apache 1.3 
module)
 libapache2-mod-php5 - server-side, HTML-embedded scripting language (apache 
2.0 module)
 php-pear   - PEAR - PHP Extension and Application Repository
 php5       - server-side, HTML-embedded scripting language (meta-package)
 php5-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php5-cli   - command-line interpreter for the php5 scripting language
 php5-common - Common files for packages built from the php5 source
 php5-curl  - CURL module for php5
 php5-dev   - Files for PHP5 module development
 php5-gd    - GD module for php5
 php5-ldap  - LDAP module for php5
 php5-mhash - MHASH module for php5
 php5-mysql - MySQL module for php5
 php5-odbc  - ODBC module for php5
 php5-pgsql - PostgreSQL module for php5
 php5-recode - recode module for php5
 php5-snmp  - SNMP module for php5
 php5-sqlite - SQLite module for php5
 php5-sybase - Sybase / MS SQL Server module for php5
 php5-xmlrpc - XML-RPC module for php5
 php5-xsl   - XSL module for php5
Closes: 346479 346501 346550 347894
Changes: 
 php5 (5.1.2-1) unstable; urgency=low
 .
   * New upstream bugfix and security update release (closes: #347894)
     - Fixes multiple cross-site-scripting vulnerabilities; CVE-2006-0208
     - Resolves multiple HTTP response splitting vulnerabilities, allowing
       arbitrary header injection via Set-Cookie headers; see CVE-2006-0207
     - While we don't currently build it, this release also fixes a format
       string vulnerability in the mysqli extension; see CVE-2006-0200
     - Includes a new version of the PEAR installer that seems to have a
       slightly better clue about the difference between INSTALL_ROOT and
       PHP_PEAR_INSTALL_DIR, fixing pear.conf (closes: #346479, #346501)
   * While the above is partially true, the PEAR installer is still a bit
     broken (it won't install correctly under fakeroot anymore, YAY), so
     shuffle debian/rules to have a build-pear-stamp target, as a stopgap.
   * Add 106-strptime_xopen.patch, moving the _XOPEN_SOURCE definition down
     in ext/standard/datetime.c, below the php.h include (closes: #346550)
   * Add 107-reflection_is_ext.patch, munging ext/reflection/config.m4 to
     properly call the PHP_ARG_ENABLE macro for an extension, not built-in.
   * Stop php-pear from Replacing and Conflicting with php-html-template-it,
     as we only now ship the bare essential to make the pear installer go.
Files: 
 3621a044d82dc672ae54653a4fe7c75f 1778 web optional php5_5.1.2-1.dsc
 b5b6564e8c6a0d5bc1d2b4787480d792 8064193 web optional php5_5.1.2.orig.tar.gz
 4f9feaaf0c72d9ae2f7497364ea227e6 97057 web optional php5_5.1.2-1.diff.gz
 03b3a6a8c06c8bf05fc9796832616602 130434 web optional 
php5-common_5.1.2-1_i386.deb
 243d124b9c54b564210230ad7bdf0060 2339380 web optional 
libapache-mod-php5_5.1.2-1_i386.deb
 047db563ca967986c4096be789d4817a 2340960 web optional 
libapache2-mod-php5_5.1.2-1_i386.deb
 dea271367841591494c6bd0c14547cdd 4635746 web optional php5-cgi_5.1.2-1_i386.deb
 e6f53a094ea7fa46f49ba142704f4929 2328658 web optional php5-cli_5.1.2-1_i386.deb
 5cec13d581c65fc3c832406530675ad5 312520 devel optional 
php5-dev_5.1.2-1_i386.deb
 0a64f56fc0b55439dc60a890536ddfea 23802 web optional php5-curl_5.1.2-1_i386.deb
 661ef5eeec364d8176ba687954428dea 34122 web optional php5-gd_5.1.2-1_i386.deb
 e92ce6b3cab82150302dccfce2a49a20 20668 web optional php5-ldap_5.1.2-1_i386.deb
 ce64ee5db6873056ca23b93e90f6a6f7 8528 web optional php5-mhash_5.1.2-1_i386.deb
 20d6bdac41301a9160f00e0be2bc15df 23028 web optional php5-mysql_5.1.2-1_i386.deb
 be60c39a1ee98221860fcc979b8421e3 28270 web optional php5-odbc_5.1.2-1_i386.deb
 1e69c6dd1a80139fc64bcb3ab981aeac 41894 web optional php5-pgsql_5.1.2-1_i386.deb
 c348f22e7809e2c389ad67df99dbec33 8192 web optional php5-recode_5.1.2-1_i386.deb
 de7a836d1dfeaa73ea7cae0b964a9665 14626 web optional php5-snmp_5.1.2-1_i386.deb
 6e8cb69882b53b19d22dfb2395fd80a4 26956 web optional 
php5-sqlite_5.1.2-1_i386.deb
 489e2ca4bb90146884c5f8c926cf5492 21392 web optional 
php5-sybase_5.1.2-1_i386.deb
 47b18c6bef42a836d5a081ee0f2842b4 39628 web optional 
php5-xmlrpc_5.1.2-1_i386.deb
 3b7f2f0671cd27d9e3b1fadf1044258f 15606 web optional php5-xsl_5.1.2-1_i386.deb
 18f59d15b1cb6d6d5e586436dc864571 1036 web optional php5_5.1.2-1_all.deb
 fa3a3d105b652f5541a3419be7336a99 301962 web optional php-pear_5.1.2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDzeZBvjztR8bOoMkRAkjAAKC8Ty2T/KHPKM6kVdvCgrVMwe+vQACgrbrx
XF4IU09C1On7TZ/KZ5lWp8g=
=qgX6
-----END PGP SIGNATURE-----


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to