Debian Bug report logs - #704764
php5: CVE-2011-1398 results in PCI compliance scan fail

version graph

Package: php5; Maintainer for php5 is (unknown);

Reported by: Ronny Adsetts <ronny.adsetts@amazinginternet.com>

Date: Fri, 5 Apr 2013 16:15:02 UTC

Severity: important

Found in version php5/5.3.3-7+squeeze15

Fixed in versions php5/5.4.4-7, 5.4.4-14

Done: Ondřej Surý <ondrej@sury.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#704764; Package php5. (Fri, 05 Apr 2013 16:15:06 GMT) (full text, mbox, link).

Acknowledgement sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Fri, 05 Apr 2013 16:15:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ronny Adsetts <ronny.adsetts@amazinginternet.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5: CVE-2011-1398 results in PCI compliance scan fail
Date: Fri, 05 Apr 2013 16:37:00 +0100
Package: php5
Version: 5.3.3-7+squeeze15
Severity: important

CVE-2011-1398 is unfixed in Debian Squeeze and is classified by Trustwave.com 
as a PCI compliance scan fail. As far as I can tell there's no way to mitigate
the problem short of building my own packages with upstream patches. I'm not
sure that this is within my capabilities as the initial fixes for this issue
were I think incomplete and resulted in CVE-2012-4388.

I've searched the Debian bugs for PHP and can't find reference to this issue.

Is there a change that CVE-2011-1398 (and therefore CVE-2012-4388) will be
fixed for Debian Squeeze with a security release?

Thanks.

Ronny


-- System Information:
Debian Release: 6.0.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5 depends on:
ii  libapache2-mod-php5    5.3.3-7+squeeze15 server-side, HTML-embedded scripti
ii  php5-common            5.3.3-7+squeeze15 Common files for packages built fr

php5 recommends no packages.

php5 suggests no packages.

-- no debconf information

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#704764; Package php5. (Tue, 14 Jan 2014 00:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Lior Kaplan <kaplan@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 14 Jan 2014 00:21:04 GMT) (full text, mbox, link).

Message #10 received at 704764@bugs.debian.org (full text, mbox, reply):

From: Lior Kaplan <kaplan@debian.org>
To: 704764@bugs.debian.org
Subject: more info
Date: Tue, 14 Jan 2014 02:18:19 +0200
[Message part 1 (text/plain, inline)]
More info at https://bugs.php.net/bug.php?id=60227

Relevant upstream patch:
http://git.php.net/?p=php-src.git;a=commitdiff;h=8e82bda330264d290a5e55580eea2eb875d4cb69

Kaplan

[Message part 2 (text/html, inline)]

Reply sent to Ondřej Surý <ondrej@sury.org>:
You have taken responsibility. (Fri, 04 Jul 2014 13:03:27 GMT) (full text, mbox, link).

Notification sent to Ronny Adsetts <ronny.adsetts@amazinginternet.com>:
Bug acknowledged by developer. (Fri, 04 Jul 2014 13:03:27 GMT) (full text, mbox, link).

Message #15 received at 704764-done@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: 614904-done@bugs.debian.org, 620015-done@bugs.debian.org, 704764-done@bugs.debian.org, 628054-done@bugs.debian.org, 620948-done@bugs.debian.org, 620423-done@bugs.debian.org, 620015-done@bugs.debian.org
Subject: Re: Closing bugs filled against php5 in oldstable
Date: Fri, 04 Jul 2014 15:00:44 +0200
Version: 5.4.4-14

One more batch...

On Fri, Jul 4, 2014, at 14:09, Ondřej Surý wrote:
> Version: 5.4.4-14
> 
> Hey all,
> 
> I am closing the bugs that were filled against php5 5.3 in Debian
> oldstable
> (well and earlier)...
> 
> Feel free to reopen the bug in you can reproduce it with php5 from
> current
> stable Debian release.
> 
> Cheers,
> -- 
> Ondřej Surý <ondrej@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server


-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Marked as fixed in versions php5/5.4.4-7. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Wed, 09 Jul 2014 08:51:14 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 07 Aug 2014 07:33:42 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 03:38:07 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.