Secure testing commits - Oct 2005 - r2366 - data/CAN

Author: jmm-guest
Date: 2005-10-09 14:05:44 +0000 (Sun, 09 Oct 2005)
New Revision: 2366

Modified:
   data/CAN/list
Log:
php base_dir issue fixed, new one fixed as well


Modified: data/CAN/list
==================================================================---
data/CAN/list	2005-10-09 13:58:53 UTC (rev 2365)
+++ data/CAN/list	2005-10-09 14:05:44 UTC (rev 2366)
@@ -1,3 +1,6 @@
+CAN-2005-XXXX [Missing safemode checks in PHP''s _php_image_output
functions]
+	- php5 5.0.5-2
+	- php4 4:4.4.0-3
 CAN-2005-XXXX [kernel: Information leakage in orinoco driver]
 	- linux-2.6 <unfixed>
 	NOTE: Reported w/o bug to Horms
@@ -409,8 +412,8 @@
 	- linux-2.6 <unfixed> (bug #330343; bug #330287; medium)
 	- kernel-source-2.6.8 <unfixed> (bug #332596)
 CAN-2005-3054 (fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does
not ...)
-	- php4 <unfixed> (bug #353585; medium)
-	- php5 <unfixed> (bug #353585; medium)
+	- php4 4:4.4.0-3 (bug #353585; medium)
+	- php5 5.0.5-2 (bug #353585; medium)
 CAN-2005-3053 (The sys_set_mempolicy function in mempolicy.c in Linux kernel
2.6.x ...)
 	- linux-2.6 2.6.12-3 (bug #330343; bug #330353; medium)
 	- kernel-source-2.6.8 2.6.8-16sarge2 (medium)

Florian Weimer wrote:
> > +CAN-2005-XXXX [Missing safemode checks in PHP''s
_php_image_output functions]
> > +	- php5 5.0.5-2
> > +	- php4 4:4.4.0-3
> 
> According to Debian''s stable security bug fixing policy, these
aren''t
> security vulnerabilities.  Shall we track them nevertheless?
As this hasn''t been specifically publicly announced, we should do so?

I don''t have a strong opinion, though and my knowlege/appreciation of
PHP
is limited.

        Moritz

* Moritz Muehlenhoff:
>> According to Debian''s stable security bug fixing policy, these
aren''t
>> security vulnerabilities.  Shall we track them nevertheless?
>
> As this hasn''t been specifically publicly announced, we should do
so?
I don''t know.  I''ve been told it''s the policy, and
I''ve documented in
(see my posting on debian-security).  We could put it on the
secure-testing web server if you agree it''s a reasonable policy.

Florian Weimer wrote:
> >> According to Debian''s stable security bug fixing policy,
these aren''t
> >> security vulnerabilities.  Shall we track them nevertheless?
> >
> > As this hasn''t been specifically publicly announced, we
should do so?
> 
> I don''t know.  I''ve been told it''s the policy,
and I''ve documented in
> (see my posting on debian-security).  We could put it on the
> secure-testing web server if you agree it''s a reasonable policy.
I agree it''s a reasonable policy, but as the overhead of tracking these
issues is significantly lower than for the stable security team we could
as well track deficiencies in it as well?

Do you know how other distributions handle defects in the PHP safe mode?

Cheers,
        Moritz

* Moritz Muehlenhoff:
> +CAN-2005-XXXX [Missing safemode checks in PHP''s _php_image_output
functions]
> +	- php5 5.0.5-2
> +	- php4 4:4.4.0-3
According to Debian''s stable security bug fixing policy, these
aren''t
security vulnerabilities.  Shall we track them nevertheless?