Your message dated Fri, 11 Dec 2020 15:34:11 +0000 with message-id <e1knkqt-000hyj...@fasolo.debian.org> and subject line Bug#976108: fixed in php-pear 1:1.10.9+submodules+notgz-1.1 has caused the Debian Bug report #976108, regarding php-pear: CVE-2020-28948 CVE-2020-28949 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 976108: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-pear Version: 1:1.10.9+submodules+notgz-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/pear/Archive_Tar/issues/33 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:1.10.6+submodules+notgz-1.1 Hi, The following vulnerabilities were published for php-pear. CVE-2020-28948[0]: | Archive_Tar through 1.4.10 allows an unserialization attack because | phar: is blocked but PHAR: is not blocked. CVE-2020-28949[1]: | Archive_Tar through 1.4.10 has :// filename sanitization only to | address phar attacks, and thus any other stream-wrapper attack (such | as file:// to overwrite files) can still succeed. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-28948 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948 [1] https://security-tracker.debian.org/tracker/CVE-2020-28949 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949 [2] https://github.com/pear/Archive_Tar/issues/33 [3] https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-pear Source-Version: 1:1.10.9+submodules+notgz-1.1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of php-pear, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 976...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated php-pear package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 06 Dec 2020 14:40:37 +0100 Source: php-pear Architecture: source Version: 1:1.10.9+submodules+notgz-1.1 Distribution: unstable Urgency: medium Maintainer: Debian PHP Maintainers <team+pkg-...@tracker.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 976108 Changes: php-pear (1:1.10.9+submodules+notgz-1.1) unstable; urgency=medium . * Non-maintainer upload. * ensure we catch additional malicious/crafted filenames (CVE-2020-28948, CVE-2020-28949) (Closes: #976108) Checksums-Sha1: 6ec1497268182c17a91e53a94ec05c2350f6ba15 2244 php-pear_1.10.9+submodules+notgz-1.1.dsc db0fdb55ba71146bd8f11533e219cf45bad1a508 8424 php-pear_1.10.9+submodules+notgz-1.1.debian.tar.xz Checksums-Sha256: f12a5b900701e297b79a0d5b73bb340cfd8826002278c69b60c3db2fa5c4ec04 2244 php-pear_1.10.9+submodules+notgz-1.1.dsc f3d7d9ad8a60e632b1e4e9a48646a61f2e52fa67a41c0e3a3c74b15a165b3d0c 8424 php-pear_1.10.9+submodules+notgz-1.1.debian.tar.xz Files: f10792a3cff915ca643632425e14aeae 2244 php optional php-pear_1.10.9+submodules+notgz-1.1.dsc a52bd46f320e07e95e8714ef7df64c76 8424 php optional php-pear_1.10.9+submodules+notgz-1.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl/M8QxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ea/QP/jWS2MXHS3vwICe+exCMi6TUoFufXELW 4JxOz9iLSfISXsDcGqKJB9Lo3Ff7avWYv2GfJBfCjIOjh4e2HGfgfOupa5FdGISh 1AyriRFb0PmWrr6ljxZmtJWVNyH4snePTha+3m52HxciPE+wfbfqIZDMye1N3nyw aLNMv+z8iNntg/sSSfJuYfAoqNK01pTECalqzWwR3Gzxs9ZLI+xPJyMbWyzlTPtJ WtLVQ8BECP0wVfZ8xAdwjfQEAedfU2zOg4l4sEfs3qN3UMuxpUG4RvZpbNtzbNNQ 72DHLhh1dtTMngh9u2qrIPBDSyly/x1rj4Gn96b2tReXPUJd/KYtfu7pzABGCZBj /KaA2pOjSaFdFpYWaCePrJwGi+Zi472P0trTA7byj8glZw6IFh5bNgoPEPh1LjH6 IF0Ucqxpoz27NgyT2oCcvsmCH8P6bACa4sWt1Mc+i4JUcuTpxxFwx1jKddeCyKgF qm5O9dxrpT28EbGrUCT4N4X8ucKckNOrhybIGWWWaf8AufR67Ko63a75+yHQicNa uHWGRBM9Gq87A/RsyvcjjvTWoEMGVLgRbdmaQQfSjb9i87UYPNriNutFt+T+q196 6Wp+feDajXhnvFwfggZogOYxtOnu8cPCRmvl/mUzggVGo3dmK8HIFQ7lLywYDPW9 jqBmaiKiVzIS =Olez -----END PGP SIGNATURE-----
--- End Message ---
