[php-maint] Re: packages for sarge?
Martin Schulze
joey at infodrom.org
Thu Aug 25 09:19:18 UTC 2005
Steve Langasek wrote:
> On Wed, Aug 24, 2005 at 06:44:33PM -0700, Steve Langasek wrote:
> > On Wed, Aug 24, 2005 at 06:51:47PM +0200, Martin Schulze wrote:
> > > Zoran Dzelajlija wrote:
> > > > CC-ing the security team as suggested on #debian.
>
> > > > Explanation: this security related bug in XML_RPC, part of php4-pear
> > > > package, has been closed by an upload to unstable, but the version in
> > > > sarge is still affected.
>
> > > > Quoting Zoran Dzelajlija (jelly at srce.hr):
> > > > > Hi, any word of a sarge release to cover CAN-2005-1921 and, to kill two
> > > > > flies, the new XML_RPC bug CAN-2005-2498? I've applied Ubuntu's
> > > > > patches for both to a local build without much hassle...
>
> > > > > Also, is there some user-friendly documentation aobut the new BTS
> > > > > features (found vs. tagging for sarge)? Should this bug be reopened
> > > > > until sarge gets a fix for these vulnerabilities?
>
> > > Are you able to extract a clean patch to fix the problem? We may
> > > also need to update oldstable at the same time.
>
> > I have a 4:4.3.10-16 for sarge here that includes cleanly separated patches
> > for the security bugs; packages will be available for download soon.
> > TTBOMK, woody did not include any XML_RPC PEAR code and so is not vulnerable
> > to those bugs, but I'll check it out to be sure.
>
> Confirmed. woody's version of php4-pear included XML/Parser, but not
> XML/RPC. The php4-dev package does include shtool, so it may be vulnerable
> to 2005-1751; the patch for this is attached, in case you have a chance to
> roll it into a package before we do.
Done.
> Anyway, signed packages for sarge (4:4.3.10-16) are on their way up to
> <people.debian.org/~vorlon/php4/>.
Thanks a lot!
When I look at the diff:
--- php4-4.3.10/debian/rules
+++ php4-4.3.10/debian/rules
@@ -319,6 +319,10 @@
chmod 755 $(CURDIR)/debian/php4-pear/usr/share/php/tests/DB/tests/driver/run.cvs
chmod 755 $(CURDIR)/debian/php4-pear/usr/share/php/tests/DB/tests/run.cvs
+ # PEAR security patches
+ patch -p0 < debian/patches/PEAR-CAN_2005_1921_xmlrpc.nopatch
+ patch -p0 < debian/patches/PEAR-CAN_2005_2498_xmlrpc.nopatch
+
# install extensions
ext=`./debian/libapache-mod-php4/usr/bin/php-config --extension-dir`;\
for i in libapache-mod-php4 libapache2-mod-php4 php4-cgi php4-cli; do \
only in patch2:
I wonder where php4-4.3.10/debian/patches/CAN-2005-1751-1759.patch
gets applied.
Hmm, maybe that's the regular debian/patches mechanism? Then I'm
asking the other way round, why do you mix debian/patches/*.patch
and *.nopatch? That will only make maintenance more difficult in
the future.
Regards,
Joey
--
The MS-DOS filesystem is nice for removable media. -- H. Peter Anvin
More information about the pkg-php-maint
mailing list