Debian Bug report logs - #812788
php5: php security update breaks php-net-ldap2

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: michael-dev@fami-braun.de

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: php5: php security update breaks php-net-ldap2

Date: Tue, 26 Jan 2016 16:45:48 +0100

Package: php5-common
Version: 5.6.17+dfsg-0+deb8u1
Severity: normal

Dear Maintainer,

   * What led up to the situation?

unattended upgrades upgraded php5 from 5.6.14+dfsg-0+deb8u1 to 5.6.17+dfsg-0+deb8u1 in jessie automatically.
php-net-ldap2 is version 2.0.12-1 from debian stable.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Visiting a php based website that required Net::LDAP2.

   * What was the outcome of this action?

An empty website with PHP error:

PHP message: PHP Fatal error:  Access level to Net_LDAP2_RootDSE::__construct() must be public (as in class PEAR) in /usr/share/php/Net/LDAP2/RootDSE.php on line 0

   * What outcome did you expect instead?

I did not expect php5 stable updates to break a debian stable package.

Regards,
 M. Braun

-- Package-specific info:
==== Additional PHP 5 information ====

++++ PHP 5 SAPI (php5query -S): ++++
fpm
cli
cgi

++++ PHP 5 Extensions (php5query -M -v): ++++
memcached (Enabled for fpm by local administrator)
memcached (Enabled for cli by local administrator)
memcached (Enabled for cgi by local administrator)
json (Enabled for fpm by maintainer script)
json (Enabled for cli by maintainer script)
json (Enabled for cgi by maintainer script)
curl (Enabled for fpm by maintainer script)
curl (Enabled for cli by maintainer script)
curl (Enabled for cgi by maintainer script)
mcrypt (Enabled for fpm by maintainer script)
mcrypt (Enabled for cli by maintainer script)
mcrypt (Enabled for cgi by maintainer script)
svn (Enabled for fpm by maintainer script)
svn (Enabled for cli by maintainer script)
svn (Enabled for cgi by maintainer script)
pdo_pgsql (Enabled for fpm by maintainer script)
pdo_pgsql (Enabled for cli by maintainer script)
pdo_pgsql (Enabled for cgi by maintainer script)
opcache (Enabled for fpm by maintainer script)
opcache (Enabled for cli by maintainer script)
opcache (Enabled for cgi by maintainer script)
readline (Enabled for fpm by maintainer script)
readline (Enabled for cli by maintainer script)
readline (Enabled for cgi by maintainer script)
pgsql (Enabled for fpm by maintainer script)
pgsql (Enabled for cli by maintainer script)
pgsql (Enabled for cgi by maintainer script)
pdo (Enabled for fpm by maintainer script)
pdo (Enabled for cli by maintainer script)
pdo (Enabled for cgi by maintainer script)
tidy (Enabled for fpm by maintainer script)
tidy (Enabled for cli by maintainer script)
tidy (Enabled for cgi by maintainer script)
xdebug (Enabled for fpm by maintainer script)
xdebug (Enabled for cli by maintainer script)
xdebug (Enabled for cgi by maintainer script)
gd (Enabled for fpm by maintainer script)
gd (Enabled for cli by maintainer script)
gd (Enabled for cgi by maintainer script)
xmlrpc (Enabled for fpm by maintainer script)
xmlrpc (Enabled for cli by maintainer script)
xmlrpc (Enabled for cgi by maintainer script)
pdo_mysql (Enabled for fpm by maintainer script)
pdo_mysql (Enabled for cli by maintainer script)
pdo_mysql (Enabled for cgi by maintainer script)
imagick (Enabled for fpm by maintainer script)
imagick (Enabled for cli by maintainer script)
imagick (Enabled for cgi by maintainer script)
intl (Enabled for fpm by maintainer script)
intl (Enabled for cli by maintainer script)
intl (Enabled for cgi by maintainer script)
mysqli (Enabled for fpm by maintainer script)
mysqli (Enabled for cli by maintainer script)
mysqli (Enabled for cgi by maintainer script)
redis (Enabled for fpm by local administrator)
redis (Enabled for cli by local administrator)
redis (Enabled for cgi by local administrator)
apcu (Enabled for fpm by maintainer script)
apcu (Enabled for cli by maintainer script)
apcu (Enabled for cgi by maintainer script)
ldap (Enabled for fpm by maintainer script)
ldap (Enabled for cli by maintainer script)
ldap (Enabled for cgi by maintainer script)
memcache (Enabled for fpm by local administrator)
memcache (Enabled for cli by local administrator)
memcache (Enabled for cgi by local administrator)
mysql (Enabled for fpm by maintainer script)
mysql (Enabled for cli by maintainer script)
mysql (Enabled for cgi by maintainer script)

++++ Configuration files: ++++
**** /etc/php5/mods-available/pdo.ini ****
extension=pdo.so

**** /etc/php5/mods-available/opcache.ini ****
zend_extension=opcache.so


-- System Information:
Debian Release: 8.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages php5 depends on:
ii  php5-cgi     5.6.17+dfsg-0+deb8u1
ii  php5-common  5.6.17+dfsg-0+deb8u1
ii  php5-fpm     5.6.17+dfsg-0+deb8u1

php5 recommends no packages.

php5 suggests no packages.

Versions of packages php5-common depends on:
ii  libc6   2.19-18+deb8u2
ii  lsof    4.86+dfsg-1
ii  psmisc  22.21-2
ii  sed     4.2.2-4+b1
ii  ucf     3.0030

Versions of packages php5-common suggests:
ii  php5-apcu [php5-user-cache]  4.0.7-1

-- no debconf information

Message #20 received at 812788@bugs.debian.org (full text, mbox, reply):

From: "M. Braun" <michael-dev@fami-braun.de>

To: 812788@bugs.debian.org, alex@treefish.org

Subject: Fwd: Re: [php-maint] Bug#812788: php5: php security update breaks php-net-ldap2

Date: Mon, 1 Feb 2016 10:49:40 +0100

I've not tried that diff but instead used "pear upgrade Net::LDAP2" to
upgrade php-net-ldap2. That fixed it.

Regards,
 M. Braun


-------- Weitergeleitete Nachricht --------
Betreff: Re: [php-maint] Bug#812788: php5: php security update breaks
php-net-ldap2
Datum: Tue, 26 Jan 2016 17:16:37 +0100
Von: Ondřej Surý <ondrej@sury.org>
An: michael-dev@fami-braun.de, Debian Bug Tracking System
<submit@bugs.debian.org>

Hi Michael,

sorry for the breakage, we will prepare fixed package shortly.

Meanwhile the patch is very simple and applying it should fix your
installation as immediate remedy:
https://github.com/pear/Net_LDAP2/commit/df99b63de9b2459b5e0cd94bd26f38f3010f992e

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

On Tue, Jan 26, 2016, at 16:45, michael-dev@fami-braun.de wrote:
> Package: php5-common
> Version: 5.6.17+dfsg-0+deb8u1
> Severity: normal
> 
> Dear Maintainer,
> 
>    * What led up to the situation?
> 
> unattended upgrades upgraded php5 from 5.6.14+dfsg-0+deb8u1 to
> 5.6.17+dfsg-0+deb8u1 in jessie automatically.
> php-net-ldap2 is version 2.0.12-1 from debian stable.
> 
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
> 
> Visiting a php based website that required Net::LDAP2.
> 
>    * What was the outcome of this action?
> 
> An empty website with PHP error:
> 
> PHP message: PHP Fatal error:  Access level to
> Net_LDAP2_RootDSE::__construct() must be public (as in class PEAR) in
> /usr/share/php/Net/LDAP2/RootDSE.php on line 0
> 
>    * What outcome did you expect instead?
> 
> I did not expect php5 stable updates to break a debian stable package.
> 
> Regards,
>  M. Braun
> 
> -- Package-specific info:
> ==== Additional PHP 5 information ====
> 
> ++++ PHP 5 SAPI (php5query -S): ++++
> fpm
> cli
> cgi
> 
> ++++ PHP 5 Extensions (php5query -M -v): ++++
> memcached (Enabled for fpm by local administrator)
> memcached (Enabled for cli by local administrator)
> memcached (Enabled for cgi by local administrator)
> json (Enabled for fpm by maintainer script)
> json (Enabled for cli by maintainer script)
> json (Enabled for cgi by maintainer script)
> curl (Enabled for fpm by maintainer script)
> curl (Enabled for cli by maintainer script)
> curl (Enabled for cgi by maintainer script)
> mcrypt (Enabled for fpm by maintainer script)
> mcrypt (Enabled for cli by maintainer script)
> mcrypt (Enabled for cgi by maintainer script)
> svn (Enabled for fpm by maintainer script)
> svn (Enabled for cli by maintainer script)
> svn (Enabled for cgi by maintainer script)
> pdo_pgsql (Enabled for fpm by maintainer script)
> pdo_pgsql (Enabled for cli by maintainer script)
> pdo_pgsql (Enabled for cgi by maintainer script)
> opcache (Enabled for fpm by maintainer script)
> opcache (Enabled for cli by maintainer script)
> opcache (Enabled for cgi by maintainer script)
> readline (Enabled for fpm by maintainer script)
> readline (Enabled for cli by maintainer script)
> readline (Enabled for cgi by maintainer script)
> pgsql (Enabled for fpm by maintainer script)
> pgsql (Enabled for cli by maintainer script)
> pgsql (Enabled for cgi by maintainer script)
> pdo (Enabled for fpm by maintainer script)
> pdo (Enabled for cli by maintainer script)
> pdo (Enabled for cgi by maintainer script)
> tidy (Enabled for fpm by maintainer script)
> tidy (Enabled for cli by maintainer script)
> tidy (Enabled for cgi by maintainer script)
> xdebug (Enabled for fpm by maintainer script)
> xdebug (Enabled for cli by maintainer script)
> xdebug (Enabled for cgi by maintainer script)
> gd (Enabled for fpm by maintainer script)
> gd (Enabled for cli by maintainer script)
> gd (Enabled for cgi by maintainer script)
> xmlrpc (Enabled for fpm by maintainer script)
> xmlrpc (Enabled for cli by maintainer script)
> xmlrpc (Enabled for cgi by maintainer script)
> pdo_mysql (Enabled for fpm by maintainer script)
> pdo_mysql (Enabled for cli by maintainer script)
> pdo_mysql (Enabled for cgi by maintainer script)
> imagick (Enabled for fpm by maintainer script)
> imagick (Enabled for cli by maintainer script)
> imagick (Enabled for cgi by maintainer script)
> intl (Enabled for fpm by maintainer script)
> intl (Enabled for cli by maintainer script)
> intl (Enabled for cgi by maintainer script)
> mysqli (Enabled for fpm by maintainer script)
> mysqli (Enabled for cli by maintainer script)
> mysqli (Enabled for cgi by maintainer script)
> redis (Enabled for fpm by local administrator)
> redis (Enabled for cli by local administrator)
> redis (Enabled for cgi by local administrator)
> apcu (Enabled for fpm by maintainer script)
> apcu (Enabled for cli by maintainer script)
> apcu (Enabled for cgi by maintainer script)
> ldap (Enabled for fpm by maintainer script)
> ldap (Enabled for cli by maintainer script)
> ldap (Enabled for cgi by maintainer script)
> memcache (Enabled for fpm by local administrator)
> memcache (Enabled for cli by local administrator)
> memcache (Enabled for cgi by local administrator)
> mysql (Enabled for fpm by maintainer script)
> mysql (Enabled for cli by maintainer script)
> mysql (Enabled for cgi by maintainer script)
> 
> ++++ Configuration files: ++++
> **** /etc/php5/mods-available/pdo.ini ****
> extension=pdo.so
> 
> **** /etc/php5/mods-available/opcache.ini ****
> zend_extension=opcache.so
> 
> 
> -- System Information:
> Debian Release: 8.3
>   APT prefers stable
>   APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages php5 depends on:
> ii  php5-cgi     5.6.17+dfsg-0+deb8u1
> ii  php5-common  5.6.17+dfsg-0+deb8u1
> ii  php5-fpm     5.6.17+dfsg-0+deb8u1
> 
> php5 recommends no packages.
> 
> php5 suggests no packages.
> 
> Versions of packages php5-common depends on:
> ii  libc6   2.19-18+deb8u2
> ii  lsof    4.86+dfsg-1
> ii  psmisc  22.21-2
> ii  sed     4.2.2-4+b1
> ii  ucf     3.0030
> 
> Versions of packages php5-common suggests:
> ii  php5-apcu [php5-user-cache]  4.0.7-1
> 
> -- no debconf information
> 
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint

Message #25 received at 812788-close@bugs.debian.org (full text, mbox, reply):

From: Prach Pongpanich <prachpub@gmail.com>

To: 812788-close@bugs.debian.org

Subject: Bug#812788: fixed in php-net-ldap2 2.0.12-1+deb8u1

Date: Fri, 05 Feb 2016 08:04:52 +0000

Source: php-net-ldap2
Source-Version: 2.0.12-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
php-net-ldap2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 812788@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Prach Pongpanich <prachpub@gmail.com> (supplier of updated php-net-ldap2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 Jan 2016 13:05:48 +0700
Source: php-net-ldap2
Binary: php-net-ldap2
Architecture: source all
Version: 2.0.12-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: Debian PHP PEAR Maintainers <pkg-php-pear@lists.alioth.debian.org>
Changed-By: Prach Pongpanich <prachpub@gmail.com>
Description:
 php-net-ldap2 - PHP PEAR module for searching and manipulating LDAP-entries
Closes: 812788
Changes:
 php-net-ldap2 (2.0.12-1+deb8u1) jessie; urgency=medium
 .
   * Add Fix_Fatal_error_with_PEAR_1.10.0.patch (Closes: #812788)
Checksums-Sha1:
 5b0ea2eb72d5c66ae2501f42245646e4b7f22908 2050 php-net-ldap2_2.0.12-1+deb8u1.dsc
 c7e69f09dc116052ded3e4a98000b8cc3052cfce 3148 php-net-ldap2_2.0.12-1+deb8u1.debian.tar.xz
 26e31e01846de9039396208ada863ce289de7c55 78906 php-net-ldap2_2.0.12-1+deb8u1_all.deb
Checksums-Sha256:
 57e5da25088e6c6e4dca8de7edade749a9d66765cdb202068d1db13eb0d9a01b 2050 php-net-ldap2_2.0.12-1+deb8u1.dsc
 4fc127751c06b3fb7fc5fed08018ef08567810b81e2d9413c96031b46009ee26 3148 php-net-ldap2_2.0.12-1+deb8u1.debian.tar.xz
 55dc0bd884cc8ca95849b7310ffa843d2472837496767ee513f4f0f776688a86 78906 php-net-ldap2_2.0.12-1+deb8u1_all.deb
Files:
 396a98bdf5d6b869562151b0112670cc 2050 php optional php-net-ldap2_2.0.12-1+deb8u1.dsc
 d4f3e46ab4e71f5999b45581d9766878 3148 php optional php-net-ldap2_2.0.12-1+deb8u1.debian.tar.xz
 69737d67eaa02228966a570872ac1b5c 78906 php optional php-net-ldap2_2.0.12-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWsZygAAoJEDkJHoEjzhwJfEoQALKCvXjiYePsdUXj97oqDXwa
PjUp9QKh3kjAZeiPM3m7g/hwCWdmDgppL6s9g6pQzBMQg15hwVloucn+tcJveAWn
i30taJUdGb2FIZLo0UUrnIqZhKaO0HAJ4XNoFtI+Fr2wsq1YX9rHojcuNRrOt5B3
Xd9YuDNGgi/7hAyHSq53CXJgBEG8ysTiYGikJZ2ZA1MV+dj86fvMZPeYJ8IXwUgN
0vnb9NfF2mUqnv78aLsQPVidYcXH/QRb6AVbvEbdYuqGn8dwETwLxzHQD9wrheoQ
deVPkRwOilMgaVMDGQUh8pfHE9xKGi8ppBouTmkd0CYL5OKYn2VfL4ebvc3zW5FW
9Ao+LtiuY+fp+2SFYKfh09C0/txp+sp6UVdEwRhog0f63IQJtylC7co3W8iPu8tZ
Cu1X/AedGxSpUBT4o3hLXnTI8vrViIYzeqv8VGpMr9jbaabpOV979o2qGS33EHqC
QiDJGJgQEeDq6L4Ri4QjDcxx4hVUSkc7FayekaRoJRcM0DVRmw/jBUoHPBHA6eYd
cvY/v0PLtexKZebkDmXjWUCPjZPJLbKmqmTTwCiLUiYWfp7P9eaUWcZM5ZeQKxDo
gjjpaw9owdzDGWbq9HrzLE1+nKU5k48EM1hMbXwFXZpYkYsrgaYJnp/wviKOTadR
Q2O91fNSa0asrucDf7Qd
=tUXM
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.