Debian Bug report logs - #323585
libapache2-mod-php4 - open_basedir bug - security

Package: libapache2-mod-php5; Maintainer for libapache2-mod-php5 is Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>; Source for libapache2-mod-php5 is src:php5.

Reported by: thorben <thorben@gawab.com>

Date: Wed, 17 Aug 2005 12:18:01 UTC

Severity: normal

Tags: sarge

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#323585; Package libapache2-mod-php4. Full text and rfc822 format available.

Acknowledgement sent to thorben <thorben@gawab.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: thorben <thorben@gawab.com>
To: submit@bugs.debian.org
Subject: libapache2-mod-php4 - open_basedir bug - security
Date: Wed, 17 Aug 2005 14:15:09 +0200
Package: libapache2-mod-php4
Version:  4.3.10-15

same bug like described in version 5.0.4
http://bugs.php.net/bug.php?id=32937

if somebody has a directory structure like this:
/srv/user1
/srv/user2
.
.
.
/srv/user10
/srv/user11

user1   can  access  the  files  of  user10 and user12 vi PHP although
open_basedir is set


I talked to a PHP developer, for him it is fixed.

I am using debian sarge with no other patches / backports etc.

this  bug is possibly in all php versions, I also found it in 4.4.0 on
gentoo linux

greetings
thorben





Reply sent to Adam Conrad <adconrad@0c3.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to thorben <thorben@gawab.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 323585-done@bugs.debian.org (full text, mbox):

From: Adam Conrad <adconrad@0c3.net>
To: thorben <thorben@gawab.com>, 323585-done@bugs.debian.org
Subject: Re: [php-maint] Bug#323585: libapache2-mod-php4 - open_basedir bug - security
Date: Wed, 17 Aug 2005 23:44:14 +1000
thorben wrote:
> 
> if somebody has a directory structure like this:
> /srv/user1
> /srv/user2
> .
> .
> .
> /srv/user10
> /srv/user11
> 
> user1   can  access  the  files  of  user10 and user12 vi PHP although
> open_basedir is set

Are you using a trailing slash on your open_basedir directives?  From
the PHP manual:

> The restriction specified with open_basedir is actually a prefix, not
> a directory name. This means that "open_basedir = /dir/incl" also
> allows access to "/dir/include" and "/dir/incls" if they exist. When
> you want to restrict access to only the specified directory, end with
> a slash. For example: "open_basedir = /dir/incl/"

... Adam



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#323585; Package libapache2-mod-php4. Full text and rfc822 format available.

Acknowledgement sent to thorben <thorben@gawab.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 323585@bugs.debian.org (full text, mbox):

From: thorben <thorben@gawab.com>
To: Debian Bug Tracking System <323585@bugs.debian.org>
Subject: Re: Bug#323585 acknowledged by developer (Re: [php-maint] Bug#323585: libapache2-mod-php4 - open_basedir bug - security)
Date: Wed, 17 Aug 2005 16:24:08 +0200
sry for bothering you again, but why is it closed?

the  "yes  I  used  it,..."  from  further  mail meant that i used the
tailing  "/"  as  described  by  the  php  manual  and  you  (sry  for
misunderstandings)

my configuration is:

<virtualhost...>
...
php_admin_value open_basedir /var/www/user1/
...
</virtualhost>

greets
thorben


> This is an automatic notification regarding your Bug report
> #323585: libapache2-mod-php4 - open_basedir bug - security,
> which was filed against the libapache2-mod-php4 package.

> It has been closed by one of the developers, namely
> Adam Conrad <adconrad@0c3.net>.

> Their explanation is attached below.  If this explanation is
> unsatisfactory and you have not received a better one in a separate
> message then please contact the developer, by replying to this email.

> Debian bug tracking system administrator
> (administrator, Debian Bugs database)

> Received: (at 323585-done) by bugs.debian.org; 17 Aug 2005 13:44:59 +0000
> From adconrad@0c3.net Wed Aug 17 06:44:59 2005
> Return-path: <adconrad@0c3.net>
> Received: from loki.0c3.net [69.0.240.48] 
>         by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
>         id 1E5ODz-0005Am-00; Wed, 17 Aug 2005 06:44:59 -0700
> Received: from [203.49.196.168] (helo=[10.0.0.4])
>         by loki.0c3.net with esmtp (Exim 4.34)
>         id 1E5ODO-0005qC-OC; Wed, 17 Aug 2005 07:44:23 -0600
> Message-ID: <43033F2E.1080002@0c3.net>
> Date: Wed, 17 Aug 2005 23:44:14 +1000
> From: Adam Conrad <adconrad@0c3.net>
> User-Agent: Mozilla Thunderbird 1.0.6 (X11/20050809)
> X-Accept-Language: en-us, en
> MIME-Version: 1.0
> To: thorben <thorben@gawab.com>,  323585-done@bugs.debian.org
> Subject: Re: [php-maint] Bug#323585: libapache2-mod-php4 - open_basedir bug
>  -      security
> References: <1123638061.20050817141509@gawab.com>
> In-Reply-To: <1123638061.20050817141509@gawab.com>
> X-Enigmail-Version: 0.92.0.0
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Delivered-To: 323585-done@bugs.debian.org
> X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
>         (1.212-2003-09-23-exp) on spohr.debian.org
> X-Spam-Level: 
> X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
>         autolearn=no version=2.60-bugs.debian.org_2005_01_02

> thorben wrote:
>> 
>> if somebody has a directory structure like this:
>> /srv/user1
>> /srv/user2
>> .
>> .
>> .
>> /srv/user10
>> /srv/user11
>> 
>> user1   can  access  the  files  of  user10 and user12 vi PHP although
>> open_basedir is set

> Are you using a trailing slash on your open_basedir directives?  From
> the PHP manual:

>> The restriction specified with open_basedir is actually a prefix, not
>> a directory name. This means that "open_basedir = /dir/incl" also
>> allows access to "/dir/include" and "/dir/incls" if they exist. When
>> you want to restrict access to only the specified directory, end with
>> a slash. For example: "open_basedir = /dir/incl/"

> ... Adam






Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#323585; Package libapache2-mod-php4. Full text and rfc822 format available.

Acknowledgement sent to Adam Conrad <adconrad@0c3.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 323585@bugs.debian.org (full text, mbox):

From: Adam Conrad <adconrad@0c3.net>
To: thorben <thorben@gawab.com>, 323585@bugs.debian.org, control@bugs.debian.org
Subject: Re: [php-maint] Bug#323585: libapache2-mod-php4 - open_basedir bug - security
Date: Thu, 18 Aug 2005 00:24:44 +1000
reopen 323585
kthxbye

thorben wrote:
> hi,
> yes I used it, sry for not writing that

Hrm, okay.  On further investigation, you are right, the trailing slash
seems to do no good whatsoever.  Fun.  Reopening the bug.

... Adam



Bug reopened, originator not changed. Request was from Adam Conrad <adconrad@0c3.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#323585; Package libapache2-mod-php4. Full text and rfc822 format available.

Acknowledgement sent to Adam Conrad <adconrad@0c3.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #27 received at 323585@bugs.debian.org (full text, mbox):

From: Adam Conrad <adconrad@0c3.net>
To: thorben <thorben@gawab.com>, 323585@bugs.debian.org
Subject: Re: Bug#323585: acknowledged by developer (Re: [php-maint] Bug#323585: libapache2-mod-php4 - open_basedir bug - security)
Date: Thu, 18 Aug 2005 00:55:33 +1000
thorben wrote:
> sry for bothering you again, but why is it closed?

Time delay, that's all.  It was already reopened by the time you got the
close message. :)

... Adam



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#323585; Package libapache2-mod-php4. Full text and rfc822 format available.

Acknowledgement sent to Adam Conrad <adconrad@0c3.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #32 received at 323585@bugs.debian.org (full text, mbox):

From: Adam Conrad <adconrad@0c3.net>
To: 323585@bugs.debian.org
Subject: open_basedir bug - security
Date: Mon, 26 Sep 2005 19:23:14 +1000
[Message part 1 (text/plain, inline)]
Alright, I've hunted this down to a small thinko in
main/fopen_wrappers.c  Attached is a patch against php5 (applies cleanly
to php4 as well, with a minor offset).  A Debian security release for
this should happen reasonably soon, but you're free to recompile with
this patch, should you want it fixed ASAP.

... Adam
[open_basedir.patch (text/x-patch, inline)]
--- fopen_wrappers.c.old	2005-07-16 12:14:44.000000000 +0000
+++ fopen_wrappers.c	2005-09-26 09:07:55.000000000 +0000
@@ -109,8 +109,8 @@
 		/* Handler for basedirs that end with a / */
 		resolved_basedir_len = strlen(resolved_basedir);
 		if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
-			if (resolved_basedir[resolved_basedir_len - 1] == '/') {
-				resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR;
+			if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) {
+				resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
 				resolved_basedir[++resolved_basedir_len] = '\0';
 			}
 		}

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#323585; Package libapache2-mod-php4. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #37 received at 323585@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: 323585@bugs.debian.org
Subject: Fwd: Re: CVE request: PHP4 open_basedir circumvention
Date: Tue, 27 Sep 2005 07:24:21 +0200
[Message part 1 (text/plain, inline)]
Hi!

I requested a CVE number for this:

======================================================
Candidate: CAN-2005-3054
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3054

fopen_wrappers.c in PHP 4.4.0, and possibly other versions, does not
properly restrict access to other directories when the open_basedir
directive includes a trailing slash, which allows PHP scripts in one
directory to access files in other directories whose names are
substrings of the original directory.

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Reply sent to Adam Conrad <adconrad@0c3.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to thorben <thorben@gawab.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 323585-close@bugs.debian.org (full text, mbox):

From: Adam Conrad <adconrad@0c3.net>
To: 323585-close@bugs.debian.org
Subject: Bug#323585: fixed in php4 4:4.4.0-3
Date: Sat, 08 Oct 2005 10:32:07 -0700
Source: php4
Source-Version: 4:4.4.0-3

We believe that the bug you reported is fixed in the latest version of
php4, which is due to be installed in the Debian FTP archive:

libapache-mod-php4_4.4.0-3_i386.deb
  to pool/main/p/php4/libapache-mod-php4_4.4.0-3_i386.deb
libapache2-mod-php4_4.4.0-3_i386.deb
  to pool/main/p/php4/libapache2-mod-php4_4.4.0-3_i386.deb
php4-cgi_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-cgi_4.4.0-3_i386.deb
php4-cli_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-cli_4.4.0-3_i386.deb
php4-common_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-common_4.4.0-3_i386.deb
php4-curl_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-curl_4.4.0-3_i386.deb
php4-dev_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-dev_4.4.0-3_i386.deb
php4-domxml_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-domxml_4.4.0-3_i386.deb
php4-gd_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-gd_4.4.0-3_i386.deb
php4-ldap_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-ldap_4.4.0-3_i386.deb
php4-mcal_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-mcal_4.4.0-3_i386.deb
php4-mhash_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-mhash_4.4.0-3_i386.deb
php4-mysql_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-mysql_4.4.0-3_i386.deb
php4-odbc_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-odbc_4.4.0-3_i386.deb
php4-pear_4.4.0-3_all.deb
  to pool/main/p/php4/php4-pear_4.4.0-3_all.deb
php4-pgsql_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-pgsql_4.4.0-3_i386.deb
php4-recode_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-recode_4.4.0-3_i386.deb
php4-snmp_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-snmp_4.4.0-3_i386.deb
php4-sybase_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-sybase_4.4.0-3_i386.deb
php4-xslt_4.4.0-3_i386.deb
  to pool/main/p/php4/php4-xslt_4.4.0-3_i386.deb
php4_4.4.0-3.diff.gz
  to pool/main/p/php4/php4_4.4.0-3.diff.gz
php4_4.4.0-3.dsc
  to pool/main/p/php4/php4_4.4.0-3.dsc
php4_4.4.0-3_all.deb
  to pool/main/p/php4/php4_4.4.0-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 323585@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adam Conrad <adconrad@0c3.net> (supplier of updated php4 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Sep 2005 16:12:05 +1000
Source: php4
Binary: php4-sybase php4-recode php4-cgi libapache-mod-php4 php4-cli php4-dev php4-snmp libapache2-mod-php4 php4-odbc php4-xslt php4-mysql php4-domxml php4-gd php4-ldap php4-common php4 php4-curl php4-pear php4-mcal php4-mhash php4-pgsql
Architecture: source i386 all
Version: 4:4.4.0-3
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
Changed-By: Adam Conrad <adconrad@0c3.net>
Description: 
 libapache-mod-php4 - server-side, HTML-embedded scripting language (apache 1.3 module)
 libapache2-mod-php4 - server-side, HTML-embedded scripting language (apache 2.0 module)
 php4       - server-side, HTML-embedded scripting language (meta-package)
 php4-cgi   - server-side, HTML-embedded scripting language (CGI binary)
 php4-cli   - command-line interpreter for the php4 scripting language
 php4-common - Common files for packages built from the php4 source
 php4-curl  - CURL module for php4
 php4-dev   - Files for PHP4 module development
 php4-domxml - XMLv2 module for php4
 php4-gd    - GD module for php4
 php4-ldap  - LDAP module for php4
 php4-mcal  - MCAL calendar module for php4
 php4-mhash - MHASH module for php4
 php4-mysql - MySQL module for php4
 php4-odbc  - ODBC module for php4
 php4-pear  - PHP Extension and Application Repository (transitional package)
 php4-pgsql - PostgreSQL module for php4
 php4-recode - Character recoding module for php4
 php4-snmp  - SNMP module for php4
 php4-sybase - Sybase / MS SQL Server module for php4
 php4-xslt  - XSLT module for php4
Closes: 323585
Changes: 
 php4 (4:4.4.0-3) unstable; urgency=low
 .
   * Remove Andres Salomon from the Uploaders field, at his request.  Thanks
     for all your work on the PHP packages, Andres, now fix our kernel bugs.
   * Add 054-open_basedir_slash.patch, which fixes a bug where if open_basedir
     is set to "/foo/", users can access files in "/foobar/", which is not the
     documented behaviour; this addresses CAN-2005-3054 (closes: #323585)
   * Add 055-gd_safe_mode_checks.patch from PHP CVS, adding missing safe_mode
     checks to the _php_image_output and _php_image_output_ctx GD functions.
Files: 
 6f672479c214346c12be8c5f1120f3be 1745 web optional php4_4.4.0-3.dsc
 f041e37cd7774f437d37b2a38da1745d 96760 web optional php4_4.4.0-3.diff.gz
 9ac2982a9f5ccd11562e0bf9103d49e2 171174 web optional php4-common_4.4.0-3_i386.deb
 e8315e8e3ac07e6a84563191153b693b 1572214 web optional libapache-mod-php4_4.4.0-3_i386.deb
 a1d7ea7a077f04c7e3ebbd7706dd7449 1569358 web optional libapache2-mod-php4_4.4.0-3_i386.deb
 946cdd00b6b8f489ca9590f66fb89475 3123294 web optional php4-cgi_4.4.0-3_i386.deb
 48032a551e94de828eefc94b65fe3a50 1568544 web optional php4-cli_4.4.0-3_i386.deb
 0db34827d320d81e00581a56851636b3 199558 devel optional php4-dev_4.4.0-3_i386.deb
 bd12e02ee239da36bfad1966b0c3e2c0 17974 web optional php4-curl_4.4.0-3_i386.deb
 6933bd1485487cd9066d571457e99afd 37576 web optional php4-domxml_4.4.0-3_i386.deb
 015938c520e1cf1843229dcf3e70291b 33166 web optional php4-gd_4.4.0-3_i386.deb
 9e403dbc933f078257cfead27ced949d 19626 web optional php4-ldap_4.4.0-3_i386.deb
 564da962653d1f21a65c30b949e99cf4 18234 web optional php4-mcal_4.4.0-3_i386.deb
 9240c4310ebcfa02d43ad3c486845329 8638 web optional php4-mhash_4.4.0-3_i386.deb
 20b79ffc553a4453819749e856270a03 21604 web optional php4-mysql_4.4.0-3_i386.deb
 958afe7121f12c56c49b0abadc8cf7fa 27948 web optional php4-odbc_4.4.0-3_i386.deb
 d01d881b101faceed7fc34b815ca22bd 36286 web optional php4-pgsql_4.4.0-3_i386.deb
 553fe5028a0b35b624d5b6e83c6510a4 8386 web optional php4-recode_4.4.0-3_i386.deb
 740cd97f94563a59a4a6788433231381 13942 web optional php4-snmp_4.4.0-3_i386.deb
 fa2a6ef974a73e4b4cb5837948127586 21208 web optional php4-sybase_4.4.0-3_i386.deb
 da9f5a8824d2ca99e6096e225a74f436 16618 web optional php4-xslt_4.4.0-3_i386.deb
 ab1b2fd06afebdfa8bf7bf8279b0309c 1156 web optional php4_4.4.0-3_all.deb
 86e73eac08a7725a3e7c5398bacd23b9 1170 web optional php4-pear_4.4.0-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDR/uZvjztR8bOoMkRAlOMAKDWWk5EAgR+y+9ICgkwQBRkIaP++QCfQs37
3siLeXd5jm9bXszUiAwNjaE=
=E/T0
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#323585; Package libapache2-mod-php4. Full text and rfc822 format available.

Acknowledgement sent to Allard Hoeve <allard@byte.nl>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #47 received at 323585@bugs.debian.org (full text, mbox):

From: Allard Hoeve <allard@byte.nl>
To: 323585@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Still applies?
Date: Tue, 8 Aug 2006 11:14:55 +0200 (CEST)
reopen 323585
tags sarge
found 4:4.3.10-16
thanks


Dear Adam, others,

Doesn't this bug still apply to Sarge?

You patched this for Ubuntu (hoary) [0], but as far as I can tell, not for 
Sarge.

Maybe it slipped under the radar with the upload of 4.4.0?

Regards,

Allard

[0] http://changelogs.ubuntu.com/changelogs/pool/main/p/php4/php4_4.3.10-10ubuntu4.2/changelog



Bug reopened, originator not changed. Request was from Allard Hoeve <allard@byte.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Allard Hoeve <allard@byte.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 4:4.3.10-16. Request was from Allard Hoeve <allard@byte.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#323585; Package libapache2-mod-php4. Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #58 received at 323585@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: 370375@bugs.debian.org, 341346@bugs.debian.org, 392839@bugs.debian.org, 298052@bugs.debian.org, 424937@bugs.debian.org, 410549@bugs.debian.org, 386041@bugs.debian.org, 271856@bugs.debian.org, 456728@bugs.debian.org, 264806@bugs.debian.org, 323585@bugs.debian.org, control@bugs.debian.org, libapache2-mod-php5@packages.debian.org
Subject: Reassigning bugs from libapache2-mod-php4 to libapache2-mod-php5
Date: Mon, 05 May 2008 10:19:37 +0200
reassign 370375 libapache2-mod-php5
reassign 341346 libapache2-mod-php5
reassign 392839 libapache2-mod-php5
reassign 298052 libapache2-mod-php5
reassign 424937 libapache2-mod-php5
reassign 410549 libapache2-mod-php5
reassign 386041 libapache2-mod-php5
reassign 271856 libapache2-mod-php5
reassign 456728 libapache2-mod-php5
reassign 264806 libapache2-mod-php5
reassign 323585 libapache2-mod-php5
thanks

The libapache2-mod-php4 package has been removed from Debian testing, unstable and
experimental. I am reassigning its bugs to the libapache2-mod-php5 package. Please
have a look at them, and close them if they don't apply to
libapache2-mod-php5 anymore.

Don't hesitate to reply to this mail if you have any question.
-- 
Lucas




Bug reassigned from package `libapache2-mod-php4' to `libapache2-mod-php5'. Request was from Lucas Nussbaum <lucas@lucas-nussbaum.net> to control@bugs.debian.org. (Mon, 05 May 2008 08:32:26 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to thorben <thorben@gawab.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #65 received at 323585-done@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 323585-done@bugs.debian.org
Subject: open_basedir not considered security issue
Date: Tue, 20 May 2008 14:09:43 +0200
[Message part 1 (text/plain, inline)]
Hi,

I'm closing this bug for two reasons:
1) It's in sarge, but sarge is EOL'd so can't be updated anymore;
2) We do not consider open_basedir bugs security critical.


bye,
Thijs
[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 18 Jun 2008 07:40:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 02:44:56 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.