On Sun, 29 Apr 2007 23:31:42 +0200 Francesco Poli wrote:> Hi![...] And as usual, I forgot to say: Please Cc: me on replies, as I am not a list subscriber. Thanks. -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070429/8830f206/attachment.pgp
Hi! I noticed what seems to be an inconsistency between the security bug tracker[1] and a DSA. Many PHP5 bugs are still listed by the tracker[2] as present in unstable, but many of them are claimed to be fixed in version 5.2.0-11 (which is currently in sid) by DSA 1283-1. For instance, the tracker page for CVE-2007-1700[3] says: | php5 (PTS) etch 5.2.0-8+etch1 vulnerable | etch (security) 5.2.0-8+etch3 fixed | lenny 5.2.0-10 vulnerable | sid 5.2.0-11 vulnerable At the same time, DSA 1283-1[4] claims that this vulnerability is fixed in version 5.2.0-11. Who''s wrong? Who''s right? I think all the PHP bugs in the tracker should be reviewed to check the consistency of the provided information with DSAs and the BTS... [1] http://security-tracker.debian.net/tracker/ [2] http://security-tracker.debian.net/tracker/status/release/unstable [3] http://security-tracker.debian.net/tracker/CVE-2007-1700 [4] http://lists.debian.org/debian-security-announce/debian-security-announce-2007/msg00039.html -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070429/655d1b60/attachment.pgp
* Francesco Poli:> At the same time, DSA 1283-1[4] claims that this vulnerability is fixed > in version 5.2.0-11.I''ve looked at the source package, and the patch is contained in it and also applied. So I''ve corrected the tracker to indicate that 5.2.0-11 is indeed fixed. Thanks for reporting this inconsistency.
On Mon, 30 Apr 2007 11:23:25 +0200 Florian Weimer wrote:> * Francesco Poli: > > > At the same time, DSA 1283-1[4] claims that this vulnerability is > > fixed in version 5.2.0-11. > > I''ve looked at the source package, and the patch is contained in it > and also applied. So I''ve corrected the tracker to indicate that > 5.2.0-11 is indeed fixed. > > Thanks for reporting this inconsistency.You''re welcome! ;-) What about the other PHP vulnerabilities? The following ones are claimed to be fixed for sid in php5 version 5.2.0-11 by DSA 1283-1, but are still considered unfixed in sid by the tracker: CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1711 CVE-2007-1718 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 CVE-2007-1900 The following ones are claimed to be fixed for sid in php4 version 4.4.6-1 by DSA 1282-1, but are still considered unfixed in sid by the tracker: CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711 CVE-2007-1718 CVE-2007-1777 -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070430/456fc23c/attachment.pgp
Hi, On Montag, 30. April 2007, Francesco Poli wrote:> The following ones are claimed to be fixed for sid in php5 version > 5.2.0-11 by DSA 1283-1, but are still considered unfixed in sid by > the tracker: > > CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 > CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1711 > CVE-2007-1718 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 > CVE-2007-1900 >CVE-2007-1711 does not seem to be fixed (but is unimportant). The rest are fixed. There is a typo in the changelog though: CVE-2007-1453-MOPB-18 should be ...-1454-... I have updated the tracker accordingly.> The following ones are claimed to be fixed for sid in php4 version > 4.4.6-1 by DSA 1282-1, but are still considered unfixed in sid by > the tracker: > > CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711 > CVE-2007-1718 CVE-2007-1777I could only find information that CVE-2007-1286, CVE-2007-1380, and CVE-2007-1777 are fixed. I don''t think the rest are fixed. @Sean: do you have more information? Thanks. Cheers, Stefan
hey guys, to quote a little godfather... "Just when I thought that I was out they pull me back in" :) On Mon, 2007-04-30 at 23:44 +0200, Stefan Fritsch wrote:> On Montag, 30. April 2007, Francesco Poli wrote: > > The following ones are claimed to be fixed for sid in php5 version > > 5.2.0-11 by DSA 1283-1, but are still considered unfixed in sid by > > the tracker: > > > > CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 > > CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1711 > > CVE-2007-1718 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 > > CVE-2007-1900 > > > > CVE-2007-1711 does not seem to be fixed (but is unimportant). The rest > are fixed. There is a typo in the changelog though: > CVE-2007-1453-MOPB-18 should be ...-1454-...i *think* CVE-2007-1711 is already fixed in the version of the patch we have for CVE-2007-0910. are you basing your finding on looking at the patch/changelog, or have you confirmed it''s actually vulnerable? my test poc doesn''t seem to work anyway.> > The following ones are claimed to be fixed for sid in php4 version > > 4.4.6-1 by DSA 1282-1, but are still considered unfixed in sid by > > the tracker: > > > > CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711 > > CVE-2007-1718 CVE-2007-1777 > > I could only find information that CVE-2007-1286, CVE-2007-1380, and > CVE-2007-1777 are fixed. I don''t think the rest are fixed. > > @Sean: do you have more information? Thanks.it looks like CVE-2007-1521 CVE-2007-1711 and CVE-2007-1718 were all fixes > 4.4.6, grumble. i''ve applied the patches for each of them, and i guess i''ll be making another upload... sean -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 191 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070501/8192028b/attachment.pgp
sean finney wrote:> hey guys, > > to quote a little godfather... > "Just when I thought that I was out they pull me back in"You don''t have a chance. Stefan Esser is the Luca Brasi of PHP Security.> On Mon, 2007-04-30 at 23:44 +0200, Stefan Fritsch wrote: > > On Montag, 30. April 2007, Francesco Poli wrote: > > > The following ones are claimed to be fixed for sid in php5 version > > > 5.2.0-11 by DSA 1283-1, but are still considered unfixed in sid by > > > the tracker: > > > > > > CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 > > > CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1711 > > > CVE-2007-1718 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 > > > CVE-2007-1900 > > > > > > > CVE-2007-1711 does not seem to be fixed (but is unimportant). The rest > > are fixed. There is a typo in the changelog though: > > CVE-2007-1453-MOPB-18 should be ...-1454-... > > i *think* CVE-2007-1711 is already fixed in the version of the patch we > have for CVE-2007-0910. are you basing your finding on looking at the > patch/changelog, or have you confirmed it''s actually vulnerable? my > test poc doesn''t seem to work anyway.Are we talking about php5? CVE-2007-1711 is php4 only.> > > The following ones are claimed to be fixed for sid in php4 version > > > 4.4.6-1 by DSA 1282-1, but are still considered unfixed in sid by > > > the tracker: > > > > > > CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711 > > > CVE-2007-1718 CVE-2007-1777 > > > > I could only find information that CVE-2007-1286, CVE-2007-1380, and > > CVE-2007-1777 are fixed. I don''t think the rest are fixed. > > > > @Sean: do you have more information? Thanks. > > it looks like CVE-2007-1521 CVE-2007-1711 and CVE-2007-1718 were all > fixes > 4.4.6, grumble. i''ve applied the patches for each of them, and > i guess i''ll be making another upload...No need to flog a dead horse. Better spend the time filing RC bugs for php4 removal blocks. Just today someone uploaded php-imagick with updated php4 support... Cheers, Moritz
On Tue, 1 May 2007 01:49:38 +0200 Moritz Muehlenhoff wrote:> sean finney wrote:[...]> > i *think* CVE-2007-1711 is already fixed in the version of the patch > > we have for CVE-2007-0910. are you basing your finding on looking > > at the patch/changelog, or have you confirmed it''s actually > > vulnerable? my test poc doesn''t seem to work anyway. > > Are we talking about php5? CVE-2007-1711 is php4 only.php4 only? Then why is it listed in DSA 1283-1, which is about php5? -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070501/b4f0ab27/attachment.pgp
On Mon, 30 Apr 2007 23:44:24 +0200 Stefan Fritsch wrote:> Hi, > > On Montag, 30. April 2007, Francesco Poli wrote: > > The following ones are claimed to be fixed for sid in php5 version > > 5.2.0-11 by DSA 1283-1, but are still considered unfixed in sid by > > the tracker: > > > > CVE-2007-1375 CVE-2007-1376 CVE-2007-1380 CVE-2007-1453 > > CVE-2007-1454 CVE-2007-1521 CVE-2007-1583 CVE-2007-1711 > > CVE-2007-1718 CVE-2007-1824 CVE-2007-1887 CVE-2007-1889 > > CVE-2007-1900 > > > > CVE-2007-1711 does not seem to be fixed (but is unimportant).That is to say? Is DSA 1283-1 *lying* ?!? [...]> I have updated the tracker accordingly.Fine.> > > > The following ones are claimed to be fixed for sid in php4 version > > 4.4.6-1 by DSA 1282-1, but are still considered unfixed in sid by > > the tracker: > > > > CVE-2007-1286 CVE-2007-1380 CVE-2007-1521 CVE-2007-1711 > > CVE-2007-1718 CVE-2007-1777 > > I could only find information that CVE-2007-1286, CVE-2007-1380, and > CVE-2007-1777 are fixed. I don''t think the rest are fixed.Again, is DSA 1282-1 *lying* ?!? -- http://frx.netsons.org/doc/nanodocs/testing_workstation_install.html Need to read a Debian testing installation walk-through? ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070501/34a32835/attachment.pgp