Debian Bug report logs - #658692
[php5-common]

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jürg Hofmann <juerg.hofmann@postbox.ch>

To: submit@bugs.debian.org

Subject: [php5-common]

Date: Sun, 05 Feb 2012 11:10:26 +0100

Package: php5-common
Version: 5.3.3-7+squeeze3
Severity: serious
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

--- Please enter the report below this line. ---
 When i try to update php5-common and related packages, from Version: 
5.3.3-7+squeeze3 to 5.3.3-7+squeeze7, i get the following info: WARNING: 
terminal is not fully functional/tmp/tmpcnqGaJ  (press RETURN).
After pressing return, the following is displayed:

php5 (5.3.3-7+squeeze5) squeeze-security; urgency=high  * The following 
new directives were added as part of security fixes:    - max_input_vars 
- specifies how many GET/POST/COOKIE input variables      may be 
accepted.  Default value is set to 1000.    - xsl.security_prefs - 
define forbidden operations within XSLT      stylesheets.  Write 
operations are now disabled by default.

 -- Ond?ej Sur? <ondrej@debian.org>  Mon, 23 Jan 2012 12:22:26 +0100

php5 (5.3.3-7+squeeze4) squeeze-security; urgency=low  * Updated 
blowfish crypt() algorithm fixes the 8-bit character handling    
vulnerability (CVE-2011-2483) and adds more self-tests.  
Unfortunately    this change is incompatible with some old (wrong) 
generated hashes for    passwords containing 8-bit characters.  
Therefore the new salt prefix    '$2x$' was introduced which can be used 
as a replacement for '$2a$'    salt prefix in the password database in 
case the incompatibility is    found.

 -- Ond?ej Sur? <ondrej@debian.org>  Mon, 04 Jul 2011 10:31:16 
+0200/tmp/tmp2PNfKm (END)

The terminal hangs and nothing is udated.
Same with apt and synaptic.

--- System information. ---
Architecture: amd64
Kernel: Linux 2.6.32-5-amd64

Debian Release: 6.0.4
500 stable-updates mirror.switch.ch
500 stable security.debian.org
500 stable mirror.switch.ch

--- Package information. ---
Depends (Version) | Installed
========================-+-=============
sed (>= 4.1.1-1) | 4.2.1-7
libc6 (>= 2.4) | 2.11.3-2


Recommends (Version) | Installed
===========================-+-===========
php5-suhosin | 0.9.32.1-1


Package's Suggests field is empty.

Message #10 received at 658692@bugs.debian.org (full text, mbox, reply):

From: Lior Kaplan <kaplan@debian.org>

To: Jürg Hofmann <juerg.hofmann@postbox.ch>, 658692@bugs.debian.org

Subject: Re: [php-maint] Bug#658692: [php5-common]

Date: Sun, 5 Feb 2012 11:31:49 +0100

[Message part 1 (text/plain, inline)]

Hi,

The looks likes an output of apt-listchanges. Could you try and remove this
package and update again the php package ?

You've opened the bug at severity:serious, but it doesn't sounds like your
php installation got broken by this message. Unless it's broken or not
functional, we'll change this bug to severity:normal.

Kaplan


On Sun, Feb 5, 2012 at 11:10 AM, Jürg Hofmann <juerg.hofmann@postbox.ch>wrote:

> Package: php5-common
> Version: 5.3.3-7+squeeze3
> Severity: serious
> Tags: security
> X-Debbugs-CC: secure-testing-team@lists.**alioth.debian.org<secure-testing-team@lists.alioth.debian.org>
>
> --- Please enter the report below this line. ---
>  When i try to update php5-common and related packages, from Version:
> 5.3.3-7+squeeze3 to 5.3.3-7+squeeze7, i get the following info: WARNING:
> terminal is not fully functional/tmp/tmpcnqGaJ  (press RETURN).
> After pressing return, the following is displayed:
>
> php5 (5.3.3-7+squeeze5) squeeze-security; urgency=high  * The following
> new directives were added as part of security fixes:    - max_input_vars -
> specifies how many GET/POST/COOKIE input variables      may be accepted.
>  Default value is set to 1000.    - xsl.security_prefs - define forbidden
> operations within XSLT      stylesheets.  Write operations are now disabled
> by default.
>
>  -- Ond?ej Sur? <ondrej@debian.org>  Mon, 23 Jan 2012 12:22:26 +0100
>
> php5 (5.3.3-7+squeeze4) squeeze-security; urgency=low  * Updated blowfish
> crypt() algorithm fixes the 8-bit character handling    vulnerability
> (CVE-2011-2483) and adds more self-tests.  Unfortunately    this change is
> incompatible with some old (wrong) generated hashes for    passwords
> containing 8-bit characters.  Therefore the new salt prefix    '$2x$' was
> introduced which can be used as a replacement for '$2a$'    salt prefix in
> the password database in case the incompatibility is    found.
>
>  -- Ond?ej Sur? <ondrej@debian.org>  Mon, 04 Jul 2011 10:31:16
> +0200/tmp/tmp2PNfKm (END)
>
> The terminal hangs and nothing is udated.
> Same with apt and synaptic.
>
> --- System information. ---
> Architecture: amd64
> Kernel: Linux 2.6.32-5-amd64
>
> Debian Release: 6.0.4
> 500 stable-updates mirror.switch.ch
> 500 stable security.debian.org
> 500 stable mirror.switch.ch
>
> --- Package information. ---
> Depends (Version) | Installed
> ========================-+-===**==========
> sed (>= 4.1.1-1) | 4.2.1-7
> libc6 (>= 2.4) | 2.11.3-2
>
>
> Recommends (Version) | Installed
> ===========================-+-**===========
> php5-suhosin | 0.9.32.1-1
>
>
> Package's Suggests field is empty.
>
>
>
>
>
>
> ______________________________**_________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.**debian.org<pkg-php-maint@lists.alioth.debian.org>
> http://lists.alioth.debian.**org/cgi-bin/mailman/listinfo/**pkg-php-maint<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint>
>

[Message part 2 (text/html, inline)]

Message #15 received at 658692@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Lior Kaplan <kaplan@debian.org>, 658692@bugs.debian.org, apt-listchanges@packages.debian.org

Cc: Jürg Hofmann <juerg.hofmann@postbox.ch>

Subject: Re: [php-maint] Bug#658692: Bug#658692: [php5-common]

Date: Sun, 5 Feb 2012 14:26:40 +0100

reassign 658692 apt-listchanges
severity 658692 normal
thank you

Definitely not a bug in the php5. Reassigning to apt-listchanges (it tried to
output the contents of debian/NEWS file).

What was your environment when you tried to upgrade? Some unusual
configuration of the terminal/pager/etc.?

O.

On Sun, Feb 5, 2012 at 11:31, Lior Kaplan <kaplan@debian.org> wrote:
> Hi,
>
> The looks likes an output of apt-listchanges. Could you try and remove this
> package and update again the php package ?
>
> You've opened the bug at severity:serious, but it doesn't sounds like your
> php installation got broken by this message. Unless it's broken or not
> functional, we'll change this bug to severity:normal.
>
> Kaplan
>
>
> On Sun, Feb 5, 2012 at 11:10 AM, Jürg Hofmann <juerg.hofmann@postbox.ch>
> wrote:
>>
>> Package: php5-common
>> Version: 5.3.3-7+squeeze3
>> Severity: serious
>> Tags: security
>> X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org
>>
>> --- Please enter the report below this line. ---
>>  When i try to update php5-common and related packages, from Version:
>> 5.3.3-7+squeeze3 to 5.3.3-7+squeeze7, i get the following info: WARNING:
>> terminal is not fully functional/tmp/tmpcnqGaJ  (press RETURN).
>> After pressing return, the following is displayed:
>>
>> php5 (5.3.3-7+squeeze5) squeeze-security; urgency=high  * The following
>> new directives were added as part of security fixes:    - max_input_vars -
>> specifies how many GET/POST/COOKIE input variables      may be accepted.
>>  Default value is set to 1000.    - xsl.security_prefs - define forbidden
>> operations within XSLT      stylesheets.  Write operations are now disabled
>> by default.
>>
>>  -- Ond?ej Sur? <ondrej@debian.org>  Mon, 23 Jan 2012 12:22:26 +0100
>>
>> php5 (5.3.3-7+squeeze4) squeeze-security; urgency=low  * Updated blowfish
>> crypt() algorithm fixes the 8-bit character handling    vulnerability
>> (CVE-2011-2483) and adds more self-tests.  Unfortunately    this change is
>> incompatible with some old (wrong) generated hashes for    passwords
>> containing 8-bit characters.  Therefore the new salt prefix    '$2x$' was
>> introduced which can be used as a replacement for '$2a$'    salt prefix in
>> the password database in case the incompatibility is    found.
>>
>>  -- Ond?ej Sur? <ondrej@debian.org>  Mon, 04 Jul 2011 10:31:16
>> +0200/tmp/tmp2PNfKm (END)
>>
>> The terminal hangs and nothing is udated.
>> Same with apt and synaptic.
>>
>> --- System information. ---
>> Architecture: amd64
>> Kernel: Linux 2.6.32-5-amd64
>>
>> Debian Release: 6.0.4
>> 500 stable-updates mirror.switch.ch
>> 500 stable security.debian.org
>> 500 stable mirror.switch.ch
>>
>> --- Package information. ---
>> Depends (Version) | Installed
>> ========================-+-=============
>> sed (>= 4.1.1-1) | 4.2.1-7
>> libc6 (>= 2.4) | 2.11.3-2
>>
>>
>> Recommends (Version) | Installed
>> ===========================-+-===========
>> php5-suhosin | 0.9.32.1-1
>>
>>
>> Package's Suggests field is empty.
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> pkg-php-maint mailing list
>> pkg-php-maint@lists.alioth.debian.org
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej@sury.org>

Send a report that this bug log contains spam.