Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

To: Jeff <jaa.debian@aquabolt.com>
Cc: debian-security@lists.debian.org
Subject: Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
From: Lupe Christoph <lupe@lupe-christoph.de>
Date: Thu, 28 Feb 2002 10:37:22 +0100
Message-id: <[🔎] 20020228103722.N25958@alanya.lupe-christoph.de>
In-reply-to: <[🔎] 001501c1c033$35043da0$3264a8c0@kursa>; from jaa.debian@aquabolt.com on Thu, Feb 28, 2002 at 08:37:45AM -0000
References: <[🔎] 001501c1c033$35043da0$3264a8c0@kursa>

On Thursday, 2002-02-28 at 08:37:45 -0000, Jeff wrote:
> I received this CERT Advisory about 6 hours ago, regarding PHP. 
> The php website confirms the details: www.php.net

> I think this is going to be a problem for us, due to the way
> the Debian packaging works - 

> We upgraded to Apache 1.3.19-1 for security reasons.
> Package dependencies meant we ended up with:
>   apache       1.3.19-1
>   mod_ssl      2.8.2-1
>   openssl      0.9.6a-3
>   libssl0.9.6  0.9.6a3
>   php4         4.0.5-2
>   php4-mysql   4.0.5-2
>   mysql-server 3.23.46-2
>   mysql-common 3.23.46-2
>   mysql-client 3.23.46-2

It looks like you are talking about Debian 2.2, aka Debian stable,
aka Debian Potato. Yes, this is getting a little long in the tooth.
If you want to run more up to date packages, you have to
get them from the "testing", aka Woody release, or even from
"unstable", aka Sid.

I'm doing the same from based on testing when I need packages
that aren't in testing (yet). Put this in /etc/apt/preferences:

Package: *
Pin: release a=stable
Pin-Priority: 100

Package: *
Pin: release a=testing
Pin-Priority: -10

(Replace a=testing with a=unstable if you want or add
anothe paragraph for unstable. I'd assume the priority
for that should be even lower.)

Now, you can manually install packages from testing with:
	apt-get -t testing apache
Dependencies will be satisfied from that release, too.
So be careful not to download half of testing.

You would be even better off upgrading to testing,
but the upgrade will probably be rough. Citing from the
latest debian-new mail:

> Upgrading from Potato to Woody. Dale Scheetz [14]completed his second
> attempt at a smooth upgrade from Potato to Woody. Things went much
> better this time, but there are still some slight gotchas that will
> need to be detailed in the upgrade notes. Before actually upgrading,
> one has to install new versions of apt, dpkg and apt-utils, though.

>  14. http://lists.debian.org/debian-devel-0202/msg01868.html

Maybe you should try to download packages and install them one by one.
Or even compile Apache, PHP, etc. yourself.

Or wait if somebody provides an updated php4 package (4.0.5-3?).

HTH,
Lupe Christoph
-- 
| lupe@lupe-christoph.de       |        http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a      |
| Bat-Leth contest on the holodeck. They will not concern us again.      |
| http://public.logica.com/~stepneys/joke/klingon.htm                    |

Reply to:

Follow-Ups:
- Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
  - From: Dmitry Borodaenko <d.borodaenko@sam-solutions.net>

References:
- CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
  - From: "Jeff" <jaa.debian@aquabolt.com>

Prev by Date: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
Next by Date: Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
Previous by thread: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
Next by thread: Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
Index(es):
- Date
- Thread