Giuseppe Iuculano
2008-Dec-23 10:49 UTC
[Secure-testing-team] register_globals on is not supported
tags 508026 fixed-upstream thanks Hi, Thijs Kinkhorst ha scritto:> As it seems, upstream does already support running in register_globals=0 mode > for a long time (according to their changelog since 2002...). Therefore I > guess this bug would be fixed if the statement turning register_globals on > was removed from the Apache configuration file. Of course this does need some > thorough testing. > > When doing that, including the fix from this bug report aswell is a good idea > since it can''t hurt and will provide some extra protection for those running > unsafe setups.Upstream released a new version to fix this issue. In attachment the debdiff for stable/testing/unstable with the trivial backported patch[1], and register_globals off (not in stable). I also tested phppgadmin with register_globals off, and I didn''t find any evidently problems. I''m not a DD, so these need a review and an upload. [1]http://github.com/xzilla/phppgadmin/commit/a4531f0f3345f92c721aaeae0226fea0b634aed4 Giuseppe. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phppgadmin_4.0.1-3.2.debdiff Url: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/c6ea2327/attachment.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phppgadmin_4.2.1-1.1.debdiff Url: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/c6ea2327/attachment-0001.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phppgadmin_4.2-1.1.debdiff Url: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/c6ea2327/attachment-0002.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/c6ea2327/attachment.pgp
Nico Golde
2008-Dec-23 14:05 UTC
[Secure-testing-team] register_globals on is not supported
Hi, * Giuseppe Iuculano <giuseppe at iuculano.it> [2008-12-23 14:50]:> Thijs Kinkhorst ha scritto: > > As it seems, upstream does already support running in register_globals=0 mode > > for a long time (according to their changelog since 2002...). Therefore I > > guess this bug would be fixed if the statement turning register_globals on > > was removed from the Apache configuration file. Of course this does need some > > thorough testing. > > > > When doing that, including the fix from this bug report aswell is a good idea > > since it can''t hurt and will provide some extra protection for those running > > unsafe setups. > > Upstream released a new version to fix this issue. In attachment the debdiff for > stable/testing/unstable with the trivial backported patch[1], and > register_globals off (not in stable). > > I also tested phppgadmin with register_globals off, and I didn''t find any > evidently problems. > > I''m not a DD, so these need a review and an upload.I take care of sponsoring the upload for unstable. For stable security the version looks wrong to me, please use 4.0.1-3.1etch1. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/20665030/attachment.pgp
Giuseppe Iuculano
2008-Dec-23 14:43 UTC
[Secure-testing-team] register_globals on is not supported
Hi, Nico Golde ha scritto:> I take care of sponsoring the upload for unstable. For > stable security the version looks wrong to me, please use > 4.0.1-3.1etch1.Right, attached the new debdiff. Giuseppe. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phppgadmin_4.0.1-3.1etch1.debdiff Url: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/8d38168f/attachment.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phppgadmin_4.2-1lenny1.debdiff Url: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/8d38168f/attachment-0001.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/8d38168f/attachment.pgp
Giuseppe Iuculano
2008-Dec-23 17:49 UTC
[Secure-testing-team] register_globals on is not supported
Hi, Giuseppe Iuculano ha scritto:> Hi, > > Nico Golde ha scritto: >> I take care of sponsoring the upload for unstable. For >> stable security the version looks wrong to me, please use >> 4.0.1-3.1etch1. > > Right, attached the new debdiff. > > Giuseppe. >Attached a new proposed debdiff to fix also #427151, #449103 (CVE-2007-2865, CVE-2007-5728) in stable. Giuseppe. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: phppgadmin_4.0.1-3.1etch1.debdiff Url: http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/1082e004/attachment-0001.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: OpenPGP digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20081223/1082e004/attachment-0001.pgp