[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: php-geoip (updated package)

Sergey B Kirpichev schrieb:
> Dear mentors,
> 
> I am looking for a sponsor for the new version 1.0.5-1
> of my package "php-geoip".
> 
> It builds these binary packages:
> php5-geoip - GeoIP module for php5
> 
> The package appears to be lintian clean.
> 
> The package can be found on mentors.debian.net:
> - URL: http://mentors.debian.net/debian/pool/main/p/php-geoip
> - Source repository: deb-src http://mentors.debian.net/debian unstable main contrib non-free
> - dget http://mentors.debian.net/debian/pool/main/p/php-geoip/php-geoip_1.0.5-1.dsc
> 
> I would be glad if someone uploaded this package for me.
> 
> 
> 

I had a look in your package and this makes me a headache:

php-geoip (1.0.5-1) unstable; urgency=low

  * New upstream release.  Fix security issue:
    + formatting bug in phpinfo()

>From the upstream changelog:
* Small bug in phpinfo() when printing version number could crash PHP.

So on a local/remote attacker could crash PHP (also the webserver?) by
just using phpinfo()?

I CCed the security team and this fix should also go in to Lenny and
your urgency should be bumped to something higher than low.


-- 
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi

E-Mail: patrick.matthaei@web.de

Comment:
Always if we think we are right,
we were maybe wrong.
*/
Reply to: