[php-maint] Bug#349260: still vulnerable to CVE-2002-1954

Joey Hess joeyh at debian.org
Sat Jan 21 21:11:38 UTC 2006


Package: php4
Version: 4:4.4.2-1
Severity: normal
Tags: security

I think that php4 is still vulnerable to CVE-2002-1954. Bug #19881 was
previously filed for this and several other security holes; the other
holes got fixed but this one remains open.

According to testing security team notes:

        NOTE: According to http://bugs.php.net/bug.php?id=19881 this only affects a
        NOTE: php function that displays the PHP logo and version information. In the bug
        NOTE: log the developers seem unwilling to fix this, as it only affects a debug
        NOTE: function.
        NOTE: fixed in CVS, estimated release of PHP5.1 to fix this issue

And it is fixed in php5 5.1.1-1, but not yet in php4 afaics.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20060121/493c92d8/attachment.pgp


More information about the pkg-php-maint mailing list