PHP Update .. details

To: debian-security@lists.debian.org
Subject: PHP Update .. details
From: Steve Kemp <skx@debian.org>
Date: Thu, 23 Dec 2004 09:36:53 +0000
Message-id: <[🔎] 20041223093653.GA1382@steve.org.uk>
Reply-to: Steve Kemp <skx@debian.org>

  It's looking like there won't be an update to PHP for Woody, because
 the majority of the PHP issues aren't relevent.

  Initially a few CVE numbers were assigned and then later withdrawn
 when it became clear that the issues could only be exploited by a 
 user who wrote a malicious PHP script - not a remote issue, or too
 serious.  (Given that if you had the ability to write evil PHP code
 you cold just run 'system('rm ..');'.

  So .. there are two CVE IDs that are left:

 CAN-2004-1019
   - http://www.hardened-php.net/advisories/012004.txt
   - Woody not vulnerable.

 CAN-2004-1065 
   - http://msgs.securepoint.com/cgi-bin/get/bugtraq0412/157.html
   - Woody not vulnerable.

 
  All other CVE ID's were withdrawn, such as :

   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1018
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1064
   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1063

  For all those people offering to help by investigating the problems
 or looking at patches - thanks.

  For all those people merely complaining that a new update wasn't
 immediately available .. your patience is appreciated.

  (And for anybody still confused about the worm going around,
 that's something only affecting PHPBB - updated PHP wouldn't help that
 at all anyway).

Steve
--
www.debian-administration.org

Reply to:

Follow-Ups:
- Re: PHP Update .. details
  - From: Hans Kratz <krypsilon@gmail.com>

Prev by Date: Re: [SECURITY] [DSA 615-1] New debmake package fixes insecure temporary directories
Next by Date: Re: PHP Update .. details
Previous by thread: Re: [SECURITY] [DSA 615-1] New debmake package fixes insecure temporary directories
Next by thread: Re: PHP Update .. details
Index(es):
- Date
- Thread