Need to upgrade apache2 and php5 for security reasons
Neal McBurnett
neal at bcn.boulder.co.us
Wed Jul 2 20:31:55 UTC 2008
On Wed, Jul 02, 2008 at 04:06:00PM -0400, Scott Kitterman wrote:
> On Wednesday 02 July 2008 15:10, Daniel Hahler wrote:
> > Christian Desrochers wrote:
> > > Our web servers have been checked recently by an external security firm.
> > > We have been told that our web servers need to be upgraded to the latest
> > > version in order to fix some security issues.
> >
> > The changelog for PHP 5.2.6 lists:
> > * Fixed possible stack buffer overflow in the FastCGI SAPI
> > identified by Andrei Nigmatulin.
> > * Fixed integer overflow in printf() identified by Maksymilian
> > Aciemowicz.
> > * Fixed security issue detailed in CVE-2008-0599 identified by Ryan
> > Permeh.
> > * Fixed a safe_mode bypass in cURL identified by Maksymilian
> > Arciemowicz.
> > * Properly address incomplete multibyte chars inside
> > escapeshellcmd() identified by Stefan Esser.
> > * Upgraded bundled PCRE to version 7.6
> >
> > ..and there hasn't been any upload to *-security for this (AFAICS).
> >
> > Previously I was using PHP from CVS (branch PHP_5_2) and updated that
> > from time to time, following the CVS commits.
> >
> > On a new server I'm using the official packages, but have backported the
> > package from Debian unstable (and/or Intrepid) to include all the fixes.
> >
> > I think it would make a lot of sense to request a backport for PHP (for
> > Dapper, Gutsy and Hardy; see
> > https://help.ubuntu.com/community/UbuntuBackports).
> >
> > Still, it looks like a security update would be required, too.
>
> Daniel,
>
> It would be nice if you could file some bugs and provide some patches ...
Hmm - this is all discussed in 227464:
https://bugs.edge.launchpad.net/ubuntu/+source/php5/+bug/227464
Fixed in Intrepid, and progress is being made on good patches for a
security update. A debdiff is available:
https://bugs.edge.launchpad.net/ubuntu/+source/php5/+bug/227464/comments/15
and a ppa version for Hardy in
https://edge.launchpad.net/~tormodvolden/+archive
Which all goes to show that searching the bug database first, or early
on in the conversation, would avoid a lot of messages....
Neal McBurnett http://mcburnett.org/neal/
More information about the Ubuntu-devel-discuss
mailing list