On Tuesday 14 November 2006 17:32, Stefan Esser wrote:
> Application: Dotdeb PHP < 5.2.0 Rev 3
> Severity: Calling PHP scripts with special crafted URLs
> can result in arbitrary email header injection
> Risk: Critical
> Vendor Status: Vendor has fixed this with Dotdeb PHP 5.2.0 rev 3
As far as I can see, the package diff for php4.4.4
http://packages.dotdeb.org/dists/stable/php4/source/php4_4.4.4-0.dotdeb.
1.diff.gz
contains the vulnerable patch as well.
I wasn't unable to find a security contact (or even A contact) on dotdeb's web
site, nor I could find a version control system from which i could abstract
easily the security patch in order to easily backport it myself.
As a dotdeb user i'm a bit disappointed, but i also know that's because i
didn't check when i chose dotdeb as my php4 backporter for sarge, so i have
very little to complain.
Anyway, will the maintainer provide updated php4 packages as well?
For those of you interested in upgrading today, here is a diff between the
php4 mail patch and the new php5 mail patch: http://ca.pastebin.com/824455
> Application: Dotdeb PHP < 5.2.0 Rev 3
> Severity: Calling PHP scripts with special crafted URLs
> can result in arbitrary email header injection
> Risk: Critical
> Vendor Status: Vendor has fixed this with Dotdeb PHP 5.2.0 rev 3
As far as I can see, the package diff for php4.4.4
http://packages.dotdeb.org/dists/stable/php4/source/php4_4.4.4-0.dotdeb.
1.diff.gz
contains the vulnerable patch as well.
I wasn't unable to find a security contact (or even A contact) on dotdeb's web
site, nor I could find a version control system from which i could abstract
easily the security patch in order to easily backport it myself.
As a dotdeb user i'm a bit disappointed, but i also know that's because i
didn't check when i chose dotdeb as my php4 backporter for sarge, so i have
very little to complain.
Anyway, will the maintainer provide updated php4 packages as well?
For those of you interested in upgrading today, here is a diff between the
php4 mail patch and the new php5 mail patch: http://ca.pastebin.com/824455
--
pub 1024D/8D2787EF 723C 7CA3 3C19 2ACE 6E20 9CC1 9956 EB3C 8D27 87EF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQBFWjJymVbrPI0nh+8RAq/CAJ0XsZwFYP9e9B95gAlwzwKPlL6a8QCcCdeJ
WoSH9NUENl3oksyLl8mrwXs=
=yug+
-----END PGP SIGNATURE-----
[ reply ]