[Secure-testing-team] phpmyadmin update
Moritz Muehlenhoff
jmm at inutil.org
Mon May 14 20:40:43 UTC 2007
On Wed, May 09, 2007 at 12:16:44PM +0200, Thijs Kinkhorst wrote:
> On Wednesday 9 May 2007 00:12, you wrote:
> > Hmm, I not sure about this. The issue at hand seems like a generic design
> > issue in PHP that's unlikely to be ever fixed inside the interpreter. I
> > would assume that limits to recursion depth would beed to be imposed
> > application-specific instead.
>
> It's a MOPB-found bug in PHP which have already been fixed inside the
> interpreter, and in fact, it has been fixed specifically in a security upload
> to etch: http://security-tracker.debian.net/tracker/CVE-2006-1549
> Only sarge is still "vulnerable".
> http://www.php-security.org/MOPB/MOPB-02-2007.html
This tracker data is likely wrong.
If it should have really fixed in this NMU:
"php5 (5.1.4-0.1) unstable; urgency=high"
it most probably got lost afterwards. Stefan Esser specifically mentions it
as present in all versions in above MOPB URL and has added a note:
"Update: The description in CVE-2006-1549 is misleading. It reads as if the
bugs were fixed in PHP 4.4.3 and PHP 5.2.0, which is not the case."
Cheers,
Moritz
More information about the Secure-testing-team
mailing list