Debian Bug report logs - #559787
php4: CVE-2008-5624

version graph

Package: php4; Maintainer for php4 is (unknown);

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Mon, 7 Dec 2009 03:21:01 UTC

Severity: important

Tags: security

Found in version php4/6:4.4.4-8

Fixed in version 6:4.4.6-2+rm

Done: Marco Rodrigues <gothicx@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#559787; Package php4. (Mon, 07 Dec 2009 03:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 07 Dec 2009 03:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: submit@bugs.debian.org
Subject: php4: CVE-2008-5624
Date: Sun, 6 Dec 2009 22:17:57 -0500
Package: php4
Version: 6:4.4.4-8
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for php4.

CVE-2008-5624[0]:
| PHP 5 before 5.2.7 does not properly initialize the page_uid and
| page_gid global variables for use by the SAPI php_getuid function,
| which allows context-dependent attackers to bypass safe_mode
| restrictions via variable settings that are intended to be restricted
| to root, as demonstrated by a setting of /etc for the error_log
| variable.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5624
    http://security-tracker.debian.org/tracker/CVE-2008-5624

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#559787; Package php4. (Mon, 07 Dec 2009 06:27:07 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Geissert <geissert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 07 Dec 2009 06:27:07 GMT) (full text, mbox, link).

Message #10 received at 559787@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 559787@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: [php-maint] Bug#559787: php4: CVE-2008-5624
Date: Mon, 7 Dec 2009 00:24:20 -0600
severity 559787 important
thanks

Hi Michael,

safe_mode and open_basedir do not receive security support (see
README.Debian.security in php4-common and data/package-tags on the
tracker repo) and PHP4 is far behind security updates anyway.

Sean, apparently at some point you said you were going to prepare an
updated package, do you still plan to work on one?

Maybe another upload could be prepared addressing the most severe
issues and declaring the EOL of security support.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Severity set to 'important' from 'serious' Request was from Raphael Geissert <geissert@debian.org> to control@bugs.debian.org. (Mon, 07 Dec 2009 06:27:08 GMT) (full text, mbox, link).

Reply sent to Marco Rodrigues <gothicx@gmail.com>:
You have taken responsibility. (Fri, 26 Mar 2010 19:54:23 GMT) (full text, mbox, link).

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Fri, 26 Mar 2010 19:54:24 GMT) (full text, mbox, link).

Message #17 received at 559787-done@bugs.debian.org (full text, mbox, reply):

From: Marco Rodrigues <gothicx@gmail.com>
To: 559787-done@bugs.debian.org
Subject: Package php4 has been removed from Debian
Date: Wed, 24 Mar 2010 20:20:17 +0000 (WET)
Version: 6:4.4.6-2+rm

You filed the bug http://bugs.debian.org/559787 in Debian BTS
against the package php4. I'm closing it at *unstable*, but it will
remain open for older distributions.

For more information about this package's removal, read
http://bugs.debian.org/428266. That bug might give the reasons why
this package was removed and suggestions of possible replacements.

Don't hesitate to reply to this mail if you have any question.

Thank you for your contribution to Debian.

--
Marco Rodrigues

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 24 Apr 2010 07:34:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 02:37:03 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.