Debian Bug report logs - #654439
'php5: name and process id missing in suhosin alerts via syslog'

version graph

Package: php5; Maintainer for php5 is (unknown);

Reported by: Marc-Christian Petersen <m.c.p@gmx.de>

Date: Tue, 3 Jan 2012 18:27:01 UTC

Severity: important

Fixed in version 5.4.0~rc5-1

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>:
Bug#654439; Package php5-suhosin. (Tue, 03 Jan 2012 18:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Marc-Christian Petersen <m.c.p@gmx.de>:
New Bug report received and forwarded. Copy sent to php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>. (Tue, 03 Jan 2012 18:27:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc-Christian Petersen <m.c.p@gmx.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5-suhosin: name and process id missing in suhosin alerts via syslog
Date: Tue, 03 Jan 2012 19:18:54 +0100
Package: php5-suhosin
Version: 0.9.32.1-1
Severity: important

Hi,

am I missing something here?

Jan  3 19:08:19 myhost ALERT - function within blacklist called: phpinfo() (attacker '1.2.3.4', file '/var/www/phpinfo.php', line 2)

if I recall correctly, some time ago there were also suhosin[$pid] logged after the hostname.

If I log suhosin alerts to a file also, there's a pid inside the log entry in the file but
not in syslog. I'm using rsyslog 5.8.6-1.

Just double-checked that on a Lenny and a Squeeze, the log entries via syslog are OK, or
at least, I like them to be that way also on SID:

Jan  3 19:14:18 otherhost suhosin[28077]: ALERT - function within blacklist called: phpinfo() (attacker '1.2.3.4', file '/var/www/phpinfo.php', line 2)

thank you.


-- System Information:
Debian Release: wheezy/sid
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.6-grsec (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages php5-suhosin depends on:
ii  libapache2-mod-php5 [phpapi-20090626]  5.3.8.0-1+b1
ii  libc6                                  2.13-24
ii  php5-cgi [phpapi-20090626]             5.3.8.0-1+b1
ii  php5-cli [phpapi-20090626]             5.3.8.0-1+b1

php5-suhosin recommends no packages.

php5-suhosin suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>:
Bug#654439; Package php5-suhosin. (Tue, 03 Jan 2012 20:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Marc-Christian Petersen <m.c.p@gmx.de>:
Extra info received and forwarded to list. Copy sent to php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>. (Tue, 03 Jan 2012 20:42:03 GMT) (full text, mbox, link).

Message #10 received at 654439@bugs.debian.org (full text, mbox, reply):

From: Marc-Christian Petersen <m.c.p@gmx.de>
To: 654439@bugs.debian.org
Subject: Re: php5-suhosin: name and process id missing in suhosin alerts via syslog
Date: Tue, 03 Jan 2012 21:38:12 +0100
Hi again,

tried that on a fresh sid install, 32bit, same problem there.

I've also noticed that sometimes you see log entries like:

Jan  3 20:42:42 testhost ERT - script tried to disable memory_limit by setting i...
Jan  3 20:44:01 testhost LERT - script tried to disable memory_limit by setting i...

you notice the missing AL and missing A ...

seems Suhosin is totally b0rked with new PHP 5.3.8 ...

-- 
ciao, Marc

Information forwarded to debian-bugs-dist@lists.debian.org, php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>:
Bug#654439; Package php5-suhosin. (Wed, 04 Jan 2012 13:24:16 GMT) (full text, mbox, link).

Acknowledgement sent to Jan Wagner <waja@cyconet.org>:
Extra info received and forwarded to list. Copy sent to php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>. (Wed, 04 Jan 2012 13:24:18 GMT) (full text, mbox, link).

Message #15 received at 654439@bugs.debian.org (full text, mbox, reply):

From: Jan Wagner <waja@cyconet.org>
To: "Marc-Christian Petersen" <m.c.p@gmx.de>, 654439@bugs.debian.org
Cc: control@bugs.debian.org, stefan.esser@sektioneins.de
Subject: Re: Bug#654439: php5-suhosin: name and process id missing in suhosin alerts via syslog
Date: Wed, 4 Jan 2012 14:14:51 +0100
[Message part 1 (text/plain, inline)]
reassign 654439 php5
retitle 654439 'php5: name and process id missing in suhosin alerts via syslog'
thanks

Hi Marc-Christian,

many thanks for taking time to report this problem.

On Tuesday 03 January 2012 21:38:12 Marc-Christian Petersen wrote:
> tried that on a fresh sid install, 32bit, same problem there.
> 
> I've also noticed that sometimes you see log entries like:
> 
> Jan  3 20:42:42 testhost ERT - script tried to disable memory_limit by
> setting i... Jan  3 20:44:01 testhost LERT - script tried to disable
> memory_limit by setting i...
> 
> you notice the missing AL and missing A ...
> 
> seems Suhosin is totally b0rked with new PHP 5.3.8 ...

This functionality is part of the suhosin patch which is integrated into the
php5 package, so I'm reassigning the bug to this package.

Anyways ... actuall it looks like the whole suhosin project is some kind of
abandoned.  We got not response to mailing the upstream maintainer, the 
forum[1] is broken and no new releases since ages, but a security problem
is open since long time, see #631283 [2].

The question which comes to my mind is: "Do we want to ship weezy with software
under such bad conditions?"

Just me two cents, Jan.
[1] http://forum.hardened-php.net/
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631283
-- 
Never write mail to <waja@spamfalle.info>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++ 
------END GEEK CODE BLOCK------

[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package 'php5-suhosin' to 'php5'. Request was from Jan Wagner <waja@cyconet.org> to control@bugs.debian.org. (Wed, 04 Jan 2012 13:24:26 GMT) (full text, mbox, link).

Bug No longer marked as found in versions php-suhosin/0.9.32.1-1. Request was from Jan Wagner <waja@cyconet.org> to control@bugs.debian.org. (Wed, 04 Jan 2012 13:24:27 GMT) (full text, mbox, link).

Changed Bug title to ''php5: name and process id missing in suhosin alerts via syslog'' from 'php5-suhosin: name and process id missing in suhosin alerts via syslog' Request was from Jan Wagner <waja@cyconet.org> to control@bugs.debian.org. (Wed, 04 Jan 2012 13:24:28 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#654439; Package php5. (Sat, 14 Jan 2012 09:57:04 GMT) (full text, mbox, link).

Acknowledgement sent to Jan Wagner <waja@cyconet.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 14 Jan 2012 09:57:06 GMT) (full text, mbox, link).

Message #26 received at 654439@bugs.debian.org (full text, mbox, reply):

From: Jan Wagner <waja@cyconet.org>
To: pkg-php-maint@lists.alioth.debian.org
Cc: php-suhosin-maintainers@ml.snow-crash.org, 654439@bugs.debian.org
Subject: Release state of suhosin for wheezy
Date: Sat, 14 Jan 2012 10:46:51 +0100
[Message part 1 (text/plain, inline)]
Dear PHP Maintainers,

On Wednesday, 4. January 2012, Jan Wagner wrote:
> On Tuesday 03 January 2012 21:38:12 Marc-Christian Petersen wrote:
> > tried that on a fresh sid install, 32bit, same problem there.
> > 
> > I've also noticed that sometimes you see log entries like:
> > 
> > Jan  3 20:42:42 testhost ERT - script tried to disable memory_limit by
> > setting i... Jan  3 20:44:01 testhost LERT - script tried to disable
> > memory_limit by setting i...
> > 
> > you notice the missing AL and missing A ...
> > 
> > seems Suhosin is totally b0rked with new PHP 5.3.8 ...
> 
> This functionality is part of the suhosin patch which is integrated into
> the php5 package, so I'm reassigning the bug to this package.
> 
> Anyways ... actuall it looks like the whole suhosin project is some kind of
> abandoned.  We got not response to mailing the upstream maintainer, the
> forum[1] is broken and no new releases since ages, but a security problem
> is open since long time, see #631283 [2].
> 
> The question which comes to my mind is: "Do we want to ship weezy with
> software under such bad conditions?"
> 
> [1] http://forum.hardened-php.net/
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631283

any statement from your point of view about release state of suhosin. We 
(maintainers of php-suhosin) think php-suhosin is definetly not in shape to be 
released at the moment. How do you see this for the patch you are carring in 
php5?

Thanks and with kind regards, Jan.
-- 
Never write mail to <waja@spamfalle.info>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++ 
------END GEEK CODE BLOCK------

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#654439; Package php5. (Sat, 14 Jan 2012 10:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sat, 14 Jan 2012 10:15:08 GMT) (full text, mbox, link).

Message #31 received at 654439@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>
To: Jan Wagner <waja@cyconet.org>
Cc: pkg-php-maint@lists.alioth.debian.org, php-suhosin-maintainers@ml.snow-crash.org, 654439@bugs.debian.org
Subject: Re: [php-maint] Release state of suhosin for wheezy
Date: Sat, 14 Jan 2012 11:11:38 +0100
>> Anyways ... actuall it looks like the whole suhosin project is some kind of
>> abandoned.  We got not response to mailing the upstream maintainer, the
>> forum[1] is broken and no new releases since ages, but a security problem
>> is open since long time, see #631283 [2].
>>
>> The question which comes to my mind is: "Do we want to ship weezy with
>> software under such bad conditions?"
>>
>> [1] http://forum.hardened-php.net/
>> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631283
>
> any statement from your point of view about release state of suhosin. We
> (maintainers of php-suhosin) think php-suhosin is definetly not in shape to be
> released at the moment. How do you see this for the patch you are carring in
> php5?

It doesn't seem to be that abandoned to me:

http://www.hardened-php.net/suhosin/download.html (new release for 5.3.9)
https://github.com/stefanesser/suhosin

But yeah there was only recent activity on the github.

Anyway the suhosin *patch* is probably not that aggressive as the module.

O.
-- 
Ondřej Surý <ondrej@sury.org>
http://blog.rfc1925.org/

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Mon, 09 Apr 2012 10:51:22 GMT) (full text, mbox, link).

Notification sent to Marc-Christian Petersen <m.c.p@gmx.de>:
Bug acknowledged by developer. (Mon, 09 Apr 2012 10:51:23 GMT) (full text, mbox, link).

Message #36 received at 654439-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 654439-done@bugs.debian.org, 644435-done@bugs.debian.org
Subject: Fixed in 5.4.0~rc5-1 when suhosin was disable
Date: Mon, 9 Apr 2012 12:39:03 +0200
Version: 5.4.0~rc5-1

php5 (5.4.0~rc5-1) experimental; urgency=low

  * Imported Upstream version 5.4.0~rc5
  * Update patches for new release
  * Disable suhosin patch

 -- Ondřej Surý <ondrej@debian.org>  Thu, 19 Jan 2012 19:23:36 +0100

-- 
Ondřej Surý <ondrej@sury.org>

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 08 May 2012 07:37:40 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 01:46:39 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.