Debian Bug report logs - #779153
php5: Please package new upstream version 5.4.38 because of CVE-2015-0273

version graph

Package: php5; Maintainer for php5 is (unknown);

Reported by: David Mohr <david@mcbf.net>

Date: Tue, 24 Feb 2015 21:57:01 UTC

Severity: normal

Found in version php5/5.4.36-0+deb7u3

Fixed in version php5/5.4.38-0+deb7u1

Done: Ondřej Surý <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#779153; Package php5. (Tue, 24 Feb 2015 21:57:06 GMT) (full text, mbox, link).


Acknowledgement sent to David Mohr <david@mcbf.net>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Tue, 24 Feb 2015 21:57:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: David Mohr <david@mcbf.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: php5: Please package new upstream version 5.4.38 because of CVE-2015-0273
Date: Tue, 24 Feb 2015 22:55:29 +0100
Package: php5
Version: 5.4.36-0+deb7u3
Severity: normal

Dear Maintainer,

I'm a little concerned that there doesn't seem to be much activity to
package php 5.4.38 which came out with the following announcement about
a week ago:

"
This release fixes several bugs and addresses CVE-2015-0235 and
CVE-2015-0273. All PHP 5.5 users are encouraged to upgrade to this
version.
"

This affects squeeze as well, but I have no idea if a patch is available
for 5.3.

https://security-tracker.debian.org/tracker/CVE-2015-0273

Is there a particular reason for this delay?

Thanks,
~David

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12.20-x86_64-jb1 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages php5 depends on:
ii  libapache2-mod-php5  5.4.36-0+deb7u3
ii  php5-common          5.4.36-0+deb7u3
ii  php5-fpm             5.4.36-0+deb7u3

php5 recommends no packages.

php5 suggests no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#779153; Package php5. (Thu, 26 Feb 2015 21:27:08 GMT) (full text, mbox, link).


Acknowledgement sent to David Mohr <david@mcbf.net>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Thu, 26 Feb 2015 21:27:08 GMT) (full text, mbox, link).


Message #10 received at 779153@bugs.debian.org (full text, mbox, reply):

From: David Mohr <david@mcbf.net>
To: 779153@bugs.debian.org
Subject: Packaged php 5.4.38
Date: Thu, 26 Feb 2015 14:24:16 -0700
Hi,

please consider reviewing my packaging:
  http://de.mcbf.net/~squisher/debian/php/php5_5.4.38-0.dsc

A couple of patches seem to have been adopted upstream, and I had to add 
one minor fix for the crypt config.m4.

Thank you for your hard work!

~David



Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#779153; Package php5. (Fri, 27 Feb 2015 09:39:08 GMT) (full text, mbox, link).


Acknowledgement sent to Ondřej Surý <ondrej@sury.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Fri, 27 Feb 2015 09:39:08 GMT) (full text, mbox, link).


Message #15 received at 779153@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>
To: David Mohr <david@mcbf.net>, 779153@bugs.debian.org
Subject: Re: [php-maint] Bug#779153: Packaged php 5.4.38
Date: Fri, 27 Feb 2015 10:34:46 +0100
Hi David,

thanks, but 5.4.38-0+deb7u1 is already prepared and submitted to Debian
security-team to review.

http://anonscm.debian.org/cgit/pkg-php/php.git/log/?h=master-wheezy

On related note - would you be interested in joining the packaging team?
We are especially keen on reviewing new releases and testing them in
production before pushing it to security-updates...

Cheers,
Ondrej

On Thu, Feb 26, 2015, at 22:24, David Mohr wrote:
> Hi,
> 
> please consider reviewing my packaging:
>    http://de.mcbf.net/~squisher/debian/php/php5_5.4.38-0.dsc
> 
> A couple of patches seem to have been adopted upstream, and I had to add 
> one minor fix for the crypt config.m4.
> 
> Thank you for your hard work!
> 
> ~David
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint


-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server



Marked as fixed in versions php5/5.4.38-0+deb7u1. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Tue, 14 Apr 2015 13:42:26 GMT) (full text, mbox, link).


Marked Bug as done Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Tue, 14 Apr 2015 13:57:14 GMT) (full text, mbox, link).


Notification sent to David Mohr <david@mcbf.net>:
Bug acknowledged by developer. (Tue, 14 Apr 2015 13:57:15 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 13 May 2015 07:28:04 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 02:52:16 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.