Re: Correction to CVE-2015-3330 information

To: Will Aoki <waoki@umnh.utah.edu>, debian-security-tracker@lists.debian.org
Subject: Re: Correction to CVE-2015-3330 information
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 1 Jun 2015 23:12:44 +0200
Message-id: <[🔎] 20150601211244.GA29984@eldamar.local>
Mail-followup-to: Will Aoki <waoki@umnh.utah.edu>, debian-security-tracker@lists.debian.org
In-reply-to: <[🔎] 20150601210447.GA27055@eldamar.local>
References: <[🔎] 20150601203115.GQ23238@umnh.utah.edu> <[🔎] 20150601210447.GA27055@eldamar.local>

Hi Will,

On Mon, Jun 01, 2015 at 11:04:47PM +0200, Salvatore Bonaccorso wrote:
> Hi Will,
> 
> On Mon, Jun 01, 2015 at 02:31:15PM -0600, Will Aoki wrote:
> > https://security-tracker.debian.org/tracker/CVE-2015-3330 shows
> > everything but squeeze-lts as vulnerable. There are two corrections I
> > suggest:
> > 
> > - As I understand it, wheezy isn't affected unless someone has upgraded
> >   Apache to 2.4.
> > 
> > - This problem was fixed in 5.6.7+dfsg-1, the version currently in
> >   jessie. The changelog only mentions PHP bugs #68486 and #69218 because
> >   a CVE number hadn't been issued yet.
> 
> Thanks for your update. I have marked the fixed version. I have though
> not changed the information for wheezy due to the source beeing
> affected.

Actually 5.4.36-0+deb7u1 applied as well the following patch:

https://sources.debian.net/src/php5/5.4.39-0%2Bdeb7u2/debian/patches/0060-PHP-SegFault-zend_hash_find-PHP-68486.patch/

Thanks for the heads-up.

Regards,
Salvatore

Reply to:

References:
- Correction to CVE-2015-3330 information
  - From: Will Aoki <waoki@umnh.utah.edu>
- Re: Correction to CVE-2015-3330 information
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: Correction to CVE-2015-3330 information
Next by Date: External check
Previous by thread: Re: Correction to CVE-2015-3330 information
Next by thread: External check
Index(es):
- Date
- Thread