[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

On Thursday, 2002-02-28 at 08:37:45 -0000, Jeff wrote:
> I received this CERT Advisory about 6 hours ago, regarding PHP. 
> The php website confirms the details: www.php.net

> I think this is going to be a problem for us, due to the way
> the Debian packaging works - 

> We upgraded to Apache 1.3.19-1 for security reasons.
> Package dependencies meant we ended up with:
>   apache       1.3.19-1
>   mod_ssl      2.8.2-1
>   openssl      0.9.6a-3
>   libssl0.9.6  0.9.6a3
>   php4         4.0.5-2
>   php4-mysql   4.0.5-2
>   mysql-server 3.23.46-2
>   mysql-common 3.23.46-2
>   mysql-client 3.23.46-2

It looks like you are talking about Debian 2.2, aka Debian stable,
aka Debian Potato. Yes, this is getting a little long in the tooth.
If you want to run more up to date packages, you have to
get them from the "testing", aka Woody release, or even from
"unstable", aka Sid.

I'm doing the same from based on testing when I need packages
that aren't in testing (yet). Put this in /etc/apt/preferences:

Package: *
Pin: release a=stable
Pin-Priority: 100

Package: *
Pin: release a=testing
Pin-Priority: -10

(Replace a=testing with a=unstable if you want or add
anothe paragraph for unstable. I'd assume the priority
for that should be even lower.)

Now, you can manually install packages from testing with:
	apt-get -t testing apache
Dependencies will be satisfied from that release, too.
So be careful not to download half of testing.

You would be even better off upgrading to testing,
but the upgrade will probably be rough. Citing from the
latest debian-new mail:

> Upgrading from Potato to Woody. Dale Scheetz [14]completed his second
> attempt at a smooth upgrade from Potato to Woody. Things went much
> better this time, but there are still some slight gotchas that will
> need to be detailed in the upgrade notes. Before actually upgrading,
> one has to install new versions of apt, dpkg and apt-utils, though.

>  14. http://lists.debian.org/debian-devel-0202/msg01868.html

Maybe you should try to download packages and install them one by one.
Or even compile Apache, PHP, etc. yourself.

Or wait if somebody provides an updated php4 package (4.0.5-3?).

Lupe Christoph
| lupe@lupe-christoph.de       |        http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a      |
| Bat-Leth contest on the holodeck. They will not concern us again.      |
| http://public.logica.com/~stepneys/joke/klingon.htm                    |

Reply to: