Your message dated Sat, 04 Nov 2006 14:56:17 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#396764: fixed in php4 4:4.4.4-4
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
package: php4
severity: critical
tags: security
From http://secunia.com/advisories/22653/ :
"Some vulnerabilities have been reported in PHP, which can be
exploited by malicious people to cause a DoS (Denial of Service) or
potentially compromise a vulnerable system.
The vulnerabilities are caused due to boundary errors within
the "htmlentities()" and "htmlspecialchars()" functions. If a PHP
application uses these functions to process user-supplied input, this
can be exploited to cause buffer overflows by passing specially
crafted data to the affected application.
Successful exploitation may allow execution of arbitrary code."
Since htmlentities() and htmlspecialchars() are frequently used on
user input, this seems quite severe to me.
--- End Message ---
--- Begin Message ---
Source: php4
Source-Version: 4:4.4.4-4
We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:
libapache-mod-php4_4.4.4-4_amd64.deb
to pool/main/p/php4/libapache-mod-php4_4.4.4-4_amd64.deb
libapache2-mod-php4_4.4.4-4_amd64.deb
to pool/main/p/php4/libapache2-mod-php4_4.4.4-4_amd64.deb
php4-cgi_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-cgi_4.4.4-4_amd64.deb
php4-cli_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-cli_4.4.4-4_amd64.deb
php4-common_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-common_4.4.4-4_amd64.deb
php4-curl_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-curl_4.4.4-4_amd64.deb
php4-dev_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-dev_4.4.4-4_amd64.deb
php4-domxml_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-domxml_4.4.4-4_amd64.deb
php4-gd_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-gd_4.4.4-4_amd64.deb
php4-ldap_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-ldap_4.4.4-4_amd64.deb
php4-mcal_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-mcal_4.4.4-4_amd64.deb
php4-mhash_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-mhash_4.4.4-4_amd64.deb
php4-mysql_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-mysql_4.4.4-4_amd64.deb
php4-odbc_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-odbc_4.4.4-4_amd64.deb
php4-pear_4.4.4-4_all.deb
to pool/main/p/php4/php4-pear_4.4.4-4_all.deb
php4-pgsql_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-pgsql_4.4.4-4_amd64.deb
php4-recode_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-recode_4.4.4-4_amd64.deb
php4-snmp_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-snmp_4.4.4-4_amd64.deb
php4-sybase_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-sybase_4.4.4-4_amd64.deb
php4-xslt_4.4.4-4_amd64.deb
to pool/main/p/php4/php4-xslt_4.4.4-4_amd64.deb
php4_4.4.4-4.diff.gz
to pool/main/p/php4/php4_4.4.4-4.diff.gz
php4_4.4.4-4.dsc
to pool/main/p/php4/php4_4.4.4-4.dsc
php4_4.4.4-4_all.deb
to pool/main/p/php4/php4_4.4.4-4_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
sean finney <[EMAIL PROTECTED]> (supplier of updated php4 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 04 Nov 2006 19:58:55 +0100
Source: php4
Binary: php4-sybase php4-recode php4-cgi libapache-mod-php4 php4-cli php4-dev
php4-snmp libapache2-mod-php4 php4-odbc php4-xslt php4-mysql php4-domxml
php4-gd php4-ldap php4-common php4 php4-curl php4-pear php4-mcal php4-mhash
php4-pgsql
Architecture: source amd64 all
Version: 4:4.4.4-4
Distribution: unstable
Urgency: high
Maintainer: Debian PHP Maintainers <[EMAIL PROTECTED]>
Changed-By: sean finney <[EMAIL PROTECTED]>
Description:
libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3
module)
libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache
2.0 module)
php4 - server-side, HTML-embedded scripting language (meta-package)
php4-cgi - server-side, HTML-embedded scripting language (CGI binary)
php4-cli - command-line interpreter for the php4 scripting language
php4-common - Common files for packages built from the php4 source
php4-curl - CURL module for php4
php4-dev - Files for PHP4 module development
php4-domxml - XMLv2 module for php4
php4-gd - GD module for php4
php4-ldap - LDAP module for php4
php4-mcal - MCAL calendar module for php4
php4-mhash - MHASH module for php4
php4-mysql - MySQL module for php4
php4-odbc - ODBC module for php4
php4-pear - PHP Extension and Application Repository (transitional package)
php4-pgsql - PostgreSQL module for php4
php4-recode - Character recoding module for php4
php4-snmp - SNMP module for php4
php4-sybase - Sybase / MS SQL Server module for php4
php4-xslt - XSLT module for php4
Closes: 348499 396764
Changes:
php4 (4:4.4.4-4) unstable; urgency=high
.
* The "Evil 4's" release :-)
.
[ sean finney ]
* fix for SSL ciphers/contexts not being initialized properly
thanks to Theodor Milkov for finding this (closes: #348499).
.
[ OndÅej Surý ]
* SECURITY: include patch for html buffer overflows in ext/standard/html.c
Reference: CVE-2006-5465
Patch: 061-CVE-2006-5465_htmlentities.patch
Closes: #396764
Files:
0a6716436fe6f5aea5620587155b33ef 1835 web optional php4_4.4.4-4.dsc
0d7892a0ec3b4b3e703f8f31bfafa89d 89982 web optional php4_4.4.4-4.diff.gz
69fec93324d97f7bcac0493a1504f75c 204924 web optional
php4-common_4.4.4-4_amd64.deb
72685c31fb5c4e53d373d320954b5dbe 1645610 web optional
libapache-mod-php4_4.4.4-4_amd64.deb
e3baaed934f5964c6e3e1d3c13219f88 1646638 web optional
libapache2-mod-php4_4.4.4-4_amd64.deb
0f464018a5d84d6ddbac525251f44e85 3253360 web optional
php4-cgi_4.4.4-4_amd64.deb
ff75ee8eb1e265d4e859b774c490116f 1634240 web optional
php4-cli_4.4.4-4_amd64.deb
0c40bcc627869d343508a5ad4ef299b1 201108 devel optional
php4-dev_4.4.4-4_amd64.deb
1e595b40645f1165226aa3f039d869c4 15794 web optional php4-curl_4.4.4-4_amd64.deb
640fd9fe3ff9e3ce5a58795065be8704 39464 web optional
php4-domxml_4.4.4-4_amd64.deb
2fe376b229f54c9242793b95cf9af19b 32302 web optional php4-gd_4.4.4-4_amd64.deb
cc218bebb3e7db324dbb36022f0cae84 18610 web optional php4-ldap_4.4.4-4_amd64.deb
45a7d5c2fb043cdba98accb425aa40d2 15612 web optional php4-mcal_4.4.4-4_amd64.deb
39ee3270058001e85b65cdbcb030f8c5 5232 web optional php4-mhash_4.4.4-4_amd64.deb
261df5db92447e383adfae17d44a5338 20574 web optional
php4-mysql_4.4.4-4_amd64.deb
7f151fff2762dc9233fc56e0e54aa217 26128 web optional php4-odbc_4.4.4-4_amd64.deb
e221e9df03f2e09bf2eb4c1280c979e1 36006 web optional
php4-pgsql_4.4.4-4_amd64.deb
ad7dcd244f429f3eae08ffc6c0bd13a0 4954 web optional
php4-recode_4.4.4-4_amd64.deb
7a333c9d5e5c2b67afd3c4a6ea8d5509 11012 web optional php4-snmp_4.4.4-4_amd64.deb
1f16f5d310b8955aea578541cd08b1e2 19106 web optional
php4-sybase_4.4.4-4_amd64.deb
b3d5f14f00b79df53f2687adc4a68774 14484 web optional php4-xslt_4.4.4-4_amd64.deb
2747e78770c218e5e66f41610af1a286 1160 web optional php4_4.4.4-4_all.deb
44c7426ddb38e6d2e4c4e0628df96d19 1174 web optional php4-pear_4.4.4-4_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFTOsdynjLPm522B0RAj21AJ9OZ25XeG5HmrH1G36sAA2MSnn4uQCfaDxO
MlcHSneaDvqCc5zHOcoZyaw=
=dboZ
-----END PGP SIGNATURE-----
--- End Message ---
