Debian Bug report logs -
#499993
CVE-2008-3660: fastcgi module vulnerability
Reported by: sean finney <seanius@debian.org>
Date: Wed, 24 Sep 2008 06:36:01 UTC
Severity: important
Tags: patch
Fixed in version 6:4.4.6-2+rm
Done: Marco Rodrigues <gothicx@gmail.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#499987; Package php5.
(Wed, 24 Sep 2008 06:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to sean finney <seanius@debian.org>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>.
(Wed, 24 Sep 2008 06:36:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5
Version: 5.2.6-3
Severity: important
Tags: patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
via http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3660
PHP 4.4.x before 4.4.9 and PHP 5.6 through 5.2.6, when used as a FastCGI
module, allows remote attackers to cause a denial of service (crash)
via a request with multiple dots preceding the extension, as demonstrated
using foo..php.
patch:
http://cvs.php.net/viewvc.cgi/php-src/sapi/cgi/cgi_main.c?r1=1.267.2.15.2.57&r2=1.267.2.15.2.58&view=patch
- -- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages php5 depends on:
ii libapache2-mod-php5 5.2.6-3 server-side, HTML-embedded scripti
ii php5-cgi 5.2.6-3 server-side, HTML-embedded scripti
ii php5-common 5.2.6-3 Common files for packages built fr
php5 recommends no packages.
php5 suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI2d9CynjLPm522B0RAltTAJ92rgbk6C29VbCEYZGvrNvoOvVB9gCghdDw
xM8Ei8VXD0LEZXugHYeXmXo=
=RGSS
-----END PGP SIGNATURE-----
Bug 499987 cloned as bug 499993.
Request was from Sean Finney <seanius@debian.org>
to control@bugs.debian.org.
(Wed, 24 Sep 2008 06:51:02 GMT) (full text, mbox, link).
Bug reassigned from package `php5' to `php4'.
Request was from Sean Finney <seanius@debian.org>
to control@bugs.debian.org.
(Wed, 24 Sep 2008 06:51:04 GMT) (full text, mbox, link).
Reply sent
to Marco Rodrigues <gothicx@gmail.com>:
You have taken responsibility.
(Sat, 27 Mar 2010 15:03:16 GMT) (full text, mbox, link).
Notification sent
to sean finney <seanius@debian.org>:
Bug acknowledged by developer.
(Sat, 27 Mar 2010 15:03:17 GMT) (full text, mbox, link).
Message #14 received at 499993-done@bugs.debian.org (full text, mbox, reply):
Version: 6:4.4.6-2+rm
You filed the bug http://bugs.debian.org/499993 in Debian BTS
against the package php4. I'm closing it at *unstable*, but it will
remain open for older distributions.
For more information about this package's removal, read
http://bugs.debian.org/428266. That bug might give the reasons why
this package was removed and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 25 Apr 2010 07:33:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 02:37:49 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.