Ubuntu
php5 package

PHP 5.2.2 fixes several vulnerabilities

Bug #112321 reported by Fridtjof Busse
256
Affects Status Importance Assigned to Milestone
php5 (Ubuntu)
Fix Released
High
Kees Cook

Bug Description

Binary package hint: php5

PHP 5.2.2 fixes several vulnerabilities, of which some could possibly be triggered externally. This should get fixed asap.
http://www.php.net/releases/5_2_2.php

CVE References

Revision history for this message
David Garcia Rojo (ouioui51) wrote :

Hi,
I have multiple security hole concerning apache and PHP5
I've used nessus to find them.

I think the report i've attach could help for resolving them
We've just to update to new package

Revision history for this message
Fridtjof Busse (fbusse-deactivatedaccount-deactivatedaccount) wrote :

A Nessus-logfile is not really helpful, especially as most of the problems found have already been fixed with USN-455-1.
Nonetheless, is anybody working on this?

Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 112321] Re: PHP 5.2.2 fixes several vulnerabilities

On Sun, May 06, 2007 at 03:43:17PM -0000, Fridtjof Busse wrote:
> A Nessus-logfile is not really helpful, especially as most of the problems found have already been fixed with USN-455-1.
> Nonetheless, is anybody working on this?

There are a few issues that are in the 5.2.2 update that are "new"
issues (i.e. not from the MOPB), which will be incorporated into another
php5 update. I've got this on my todo list, but if someone else can
prepare a patch again our current php5, I would be happy to get it. :)

--
Kees Cook @outflux.net

Revision history for this message
Jim Tarvid (tarvid) wrote :

http://www.securityfocus.com/bid/23145

Revision history for this message
Ante Karamatić (ivoks) wrote :

Jim, CVE-2007-1718 was fixed with USN-455-1 on April, 23.

Revision history for this message
Kees Cook (kees) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. This problem has been addressed with the following USN:

http://www.ubuntu.com/usn/usn-462-1

Please feel free to report future bugs.

Changed in php5:
assignee: nobody → keescook
importance: Undecided → High
status: Unconfirmed → Fix Released
Revision history for this message
Kees Cook (kees) wrote :

Note that CVE-2007-1001 does not apply to Ubuntu (or Debian's) because Ubuntu's PHP links against the system libgd2, which is not vulnerable.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.