Your message dated Mon, 04 Jul 2011 13:34:26 +0000
with message-id <e1qdjia-0003ko...@franck.debian.org>
and subject line Bug#631347: fixed in php5 5.3.6-13
has caused the Debian Bug report #631347,
regarding CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows
different password pairs to produce the same hash
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
631347: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631347
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: php5
Severity: serious
Tags: security
Hi,
A bug in crypt_blowfish was reported [1,2,3]. The RH report [4] may be useful
too.
The function BF_set_key in ./ext/standard/crypt_blowfish.c is vulnerable. Can
you confirm that the bug affects the Debian packages?
If so, please, considerer providing patches for stable and oldstable besides
sid.
The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2483.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] https://bugzilla.redhat.com/show_bug.cgi?id=715025
-luciano
--- End Message ---
--- Begin Message ---
Source: php5
Source-Version: 5.3.6-13
We believe that the bug you reported is fixed in the latest version of
php5, which is due to be installed in the Debian FTP archive:
libapache2-mod-php5_5.3.6-13_amd64.deb
to main/p/php5/libapache2-mod-php5_5.3.6-13_amd64.deb
libapache2-mod-php5filter_5.3.6-13_amd64.deb
to main/p/php5/libapache2-mod-php5filter_5.3.6-13_amd64.deb
php-pear_5.3.6-13_all.deb
to main/p/php5/php-pear_5.3.6-13_all.deb
php5-cgi_5.3.6-13_amd64.deb
to main/p/php5/php5-cgi_5.3.6-13_amd64.deb
php5-cli_5.3.6-13_amd64.deb
to main/p/php5/php5-cli_5.3.6-13_amd64.deb
php5-common_5.3.6-13_amd64.deb
to main/p/php5/php5-common_5.3.6-13_amd64.deb
php5-curl_5.3.6-13_amd64.deb
to main/p/php5/php5-curl_5.3.6-13_amd64.deb
php5-dbg_5.3.6-13_amd64.deb
to main/p/php5/php5-dbg_5.3.6-13_amd64.deb
php5-dev_5.3.6-13_amd64.deb
to main/p/php5/php5-dev_5.3.6-13_amd64.deb
php5-enchant_5.3.6-13_amd64.deb
to main/p/php5/php5-enchant_5.3.6-13_amd64.deb
php5-fpm_5.3.6-13_amd64.deb
to main/p/php5/php5-fpm_5.3.6-13_amd64.deb
php5-gd_5.3.6-13_amd64.deb
to main/p/php5/php5-gd_5.3.6-13_amd64.deb
php5-gmp_5.3.6-13_amd64.deb
to main/p/php5/php5-gmp_5.3.6-13_amd64.deb
php5-imap_5.3.6-13_amd64.deb
to main/p/php5/php5-imap_5.3.6-13_amd64.deb
php5-interbase_5.3.6-13_amd64.deb
to main/p/php5/php5-interbase_5.3.6-13_amd64.deb
php5-intl_5.3.6-13_amd64.deb
to main/p/php5/php5-intl_5.3.6-13_amd64.deb
php5-ldap_5.3.6-13_amd64.deb
to main/p/php5/php5-ldap_5.3.6-13_amd64.deb
php5-mcrypt_5.3.6-13_amd64.deb
to main/p/php5/php5-mcrypt_5.3.6-13_amd64.deb
php5-mysql_5.3.6-13_amd64.deb
to main/p/php5/php5-mysql_5.3.6-13_amd64.deb
php5-odbc_5.3.6-13_amd64.deb
to main/p/php5/php5-odbc_5.3.6-13_amd64.deb
php5-pgsql_5.3.6-13_amd64.deb
to main/p/php5/php5-pgsql_5.3.6-13_amd64.deb
php5-pspell_5.3.6-13_amd64.deb
to main/p/php5/php5-pspell_5.3.6-13_amd64.deb
php5-recode_5.3.6-13_amd64.deb
to main/p/php5/php5-recode_5.3.6-13_amd64.deb
php5-snmp_5.3.6-13_amd64.deb
to main/p/php5/php5-snmp_5.3.6-13_amd64.deb
php5-sqlite_5.3.6-13_amd64.deb
to main/p/php5/php5-sqlite_5.3.6-13_amd64.deb
php5-sybase_5.3.6-13_amd64.deb
to main/p/php5/php5-sybase_5.3.6-13_amd64.deb
php5-tidy_5.3.6-13_amd64.deb
to main/p/php5/php5-tidy_5.3.6-13_amd64.deb
php5-xmlrpc_5.3.6-13_amd64.deb
to main/p/php5/php5-xmlrpc_5.3.6-13_amd64.deb
php5-xsl_5.3.6-13_amd64.deb
to main/p/php5/php5-xsl_5.3.6-13_amd64.deb
php5_5.3.6-13.diff.gz
to main/p/php5/php5_5.3.6-13.diff.gz
php5_5.3.6-13.dsc
to main/p/php5/php5_5.3.6-13.dsc
php5_5.3.6-13_all.deb
to main/p/php5/php5_5.3.6-13_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 631...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ond...@debian.org> (supplier of updated php5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 04 Jul 2011 12:41:07 +0200
Source: php5
Binary: php5 php5-common libapache2-mod-php5 libapache2-mod-php5filter php5-cgi
php5-cli php5-fpm php5-dev php5-dbg php-pear php5-curl php5-enchant php5-gd
php5-gmp php5-imap php5-interbase php5-intl php5-ldap php5-mcrypt php5-mysql
php5-odbc php5-pgsql php5-pspell php5-recode php5-snmp php5-sqlite php5-sybase
php5-tidy php5-xmlrpc php5-xsl
Architecture: source amd64 all
Version: 5.3.6-13
Distribution: unstable
Urgency: low
Maintainer: Debian PHP Maintainers <pkg-php-ma...@lists.alioth.debian.org>
Changed-By: Ondřej Surý <ond...@debian.org>
Description:
libapache2-mod-php5 - server-side, HTML-embedded scripting language (Apache 2
module)
libapache2-mod-php5filter - server-side, HTML-embedded scripting language
(apache 2 filter mo
php-pear - PEAR - PHP Extension and Application Repository
php5 - server-side, HTML-embedded scripting language (metapackage)
php5-cgi - server-side, HTML-embedded scripting language (CGI binary)
php5-cli - command-line interpreter for the php5 scripting language
php5-common - Common files for packages built from the php5 source
php5-curl - CURL module for php5
php5-dbg - Debug symbols for PHP5
php5-dev - Files for PHP5 module development
php5-enchant - Enchant module for php5
php5-fpm - server-side, HTML-embedded scripting language (FPM-CGI binary)
php5-gd - GD module for php5
php5-gmp - GMP module for php5
php5-imap - IMAP module for php5
php5-interbase - interbase/firebird module for php5
php5-intl - internationalisation module for php5
php5-ldap - LDAP module for php5
php5-mcrypt - MCrypt module for php5
php5-mysql - MySQL module for php5
php5-odbc - ODBC module for php5
php5-pgsql - PostgreSQL module for php5
php5-pspell - pspell module for php5
php5-recode - recode module for php5
php5-snmp - SNMP module for php5
php5-sqlite - SQLite module for php5
php5-sybase - Sybase / MS SQL Server module for php5
php5-tidy - tidy module for php5
php5-xmlrpc - XML-RPC module for php5
php5-xsl - XSL module for php5
Closes: 631347
Changes:
php5 (5.3.6-13) unstable; urgency=low
.
* Fix CVE-2011-2483: 8-bit character mishandling allows different
password pairs to produce the same hash (Closes: #631347)
* Add support for $2x$ identifier as blowfish variant in crypt.c to
allow backward compatibility with old invalid hashes
* Return fail string (*0) on invalid Blowfish salt rounds
* Add NEWS item about incompatible blowfish hashes
* Fix CVE-2011-1938: Stack-based buffer overflow in the socket_connect
function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might
allow context-dependent attackers to execute arbitrary code via a
long pathname for a UNIX socket.
Checksums-Sha1:
e743ca17da4d5c2f4c82979e7c927afcee4f7552 2640 php5_5.3.6-13.dsc
8e757972ec380f5b32d93aedaeb9441c581d4680 197148 php5_5.3.6-13.diff.gz
36c11420813094ac46bc297b1aa1cc042fe7fa3a 556408 php5-common_5.3.6-13_amd64.deb
0e88fd9913ce6616d3b431534c5782bc465a502e 3066118
libapache2-mod-php5_5.3.6-13_amd64.deb
19be9cfa498268f03fe2639a0d8bcfb60c02beb7 3065052
libapache2-mod-php5filter_5.3.6-13_amd64.deb
d45b3eb0a1ece6d6c0c75f3c21c8e25ac28662e8 5959250 php5-cgi_5.3.6-13_amd64.deb
1a8cbc4ca4a0b95936f382fe4d7682459c96ab75 2972510 php5-cli_5.3.6-13_amd64.deb
7db5ca34a4d21756e88f4673bd70992b8a5e0c8b 3010974 php5-fpm_5.3.6-13_amd64.deb
8ac057b42c69e0cba4f1b250fe36aa50c90bb354 410338 php5-dev_5.3.6-13_amd64.deb
cca3a28c2d45ce3dc53e6f971d768fd32753f14e 12923200 php5-dbg_5.3.6-13_amd64.deb
cdf7e806d355548dc502fca50133f6b84b4be341 27236 php5-curl_5.3.6-13_amd64.deb
848c099aee5bad39220aeb1b81acab19c77563f1 9106 php5-enchant_5.3.6-13_amd64.deb
9be0bc58a7574d77c3b620a0dffe45b597a49ea0 39382 php5-gd_5.3.6-13_amd64.deb
26ccfc271ac6dd74b4dd630b32fefbf1cd8be471 16626 php5-gmp_5.3.6-13_amd64.deb
66c8d5c615f45947b162ab99bf427d22fe0f9733 35068 php5-imap_5.3.6-13_amd64.deb
fefe0122c70998a2caede259c20f47cfff0084de 49202
php5-interbase_5.3.6-13_amd64.deb
3ed1b7a19733117eadec9ee24f755a66f754be88 60990 php5-intl_5.3.6-13_amd64.deb
0ba1dcda4325894b9873c6672cf4626629b04f79 19752 php5-ldap_5.3.6-13_amd64.deb
8b33f0da1347bfcb6d8243c9c42580f967874107 15278 php5-mcrypt_5.3.6-13_amd64.deb
7e5e9023e618103006f3c0cdad0777e2480cf6d5 77008 php5-mysql_5.3.6-13_amd64.deb
85a02e2312bbfae91c55952f5ba0e85bfc303d80 36188 php5-odbc_5.3.6-13_amd64.deb
f486982fd95842632bd64c352644fd3a04dd118f 60052 php5-pgsql_5.3.6-13_amd64.deb
3052b1df4656d287618bf09735877065bb3ddf4e 8384 php5-pspell_5.3.6-13_amd64.deb
c6ed9035d55565d3ddf39f5ab6a5a6fdc49ee346 4314 php5-recode_5.3.6-13_amd64.deb
7b06753d38a142abbb1257815860629e396e71fb 11152 php5-snmp_5.3.6-13_amd64.deb
523c91a56d9195132cb7b8fd4ec3f258f00a1215 56948 php5-sqlite_5.3.6-13_amd64.deb
5309018f2dade0fa4e9f01237d31f0221a066a35 26822 php5-sybase_5.3.6-13_amd64.deb
5e2820beca9c8b78604ed8f82a3b3fabbc336ddb 18460 php5-tidy_5.3.6-13_amd64.deb
ac8ffd8a72bf5c69e2dc1bf06b08fa9bd3c47d43 35312 php5-xmlrpc_5.3.6-13_amd64.deb
a8a465556ac3d0d3f8d616058b62da7b58e7d43c 13686 php5-xsl_5.3.6-13_amd64.deb
a87600006420964bd9783794ab35965284285eee 1056 php5_5.3.6-13_all.deb
028ae0425aa20be67959db6090732e0331863761 366206 php-pear_5.3.6-13_all.deb
Checksums-Sha256:
f52897ec2b8ec6216a3b9433a5055ea3bff62093e20f198eb87ad9c50550f547 2640
php5_5.3.6-13.dsc
e355e1ed0cccff892afc9781c6911ab6fd2d06faa840f2d478c725cb07a6e3c9 197148
php5_5.3.6-13.diff.gz
439e9933020c6e265e441cceb6aa16a48b8489fb33605bd7ecc8789029213194 556408
php5-common_5.3.6-13_amd64.deb
9b1f1f3bdd44bcb1cb8974323ae36a948900aca42cd137623f540516e656530a 3066118
libapache2-mod-php5_5.3.6-13_amd64.deb
12b5c2befa798c3fed88ffc90abcb33c7a66eccfa81bc3e65efd57fbfb2994d5 3065052
libapache2-mod-php5filter_5.3.6-13_amd64.deb
427dbc0b2a0df021dffb0cfafe84af4b17d1c5287cab812f0144b413c7b89298 5959250
php5-cgi_5.3.6-13_amd64.deb
2662bf4aa74e086f7a766703ea4602ab1ede58abdfbdf05804b5b0a5fe290eb4 2972510
php5-cli_5.3.6-13_amd64.deb
13edcda51ef4e2db908af5eba57f81b7404288e335a5a39b479066d610820bf9 3010974
php5-fpm_5.3.6-13_amd64.deb
200faca0ba9d8a204d01188054647113f2b176b21d0a99d086803df4a78d5590 410338
php5-dev_5.3.6-13_amd64.deb
53429c57f55958a05134993c049bf790ad03da4a72e4e92bc13bbb7794a58a08 12923200
php5-dbg_5.3.6-13_amd64.deb
b705b06b41bd8294224923aef898ca5f22f5512e7bffa074c215b918d460c6a4 27236
php5-curl_5.3.6-13_amd64.deb
ec8a1805adeaa799fff45acaf97614c311f62df134bd583d04d6c7b306357387 9106
php5-enchant_5.3.6-13_amd64.deb
2f24d774926d2c6886c345edcf2559dbb10ca12c70cedcce2acadd49c230a4aa 39382
php5-gd_5.3.6-13_amd64.deb
0d250af9e30b2abd0ca4f29e0c375def8a7ac38dc53f74405fe94293f5780aa3 16626
php5-gmp_5.3.6-13_amd64.deb
ce502cef8664d0bee482502035cc7f02473ac88b0e86540fb53343c59a7f6f8d 35068
php5-imap_5.3.6-13_amd64.deb
a98d61bafab631b45c4b529ddac2aab9709d3291586a8aca47e38e443c9112ff 49202
php5-interbase_5.3.6-13_amd64.deb
3a44247e8bde86d3010e341b8cc56b1dcb251d90767db1631888421f0fba50f2 60990
php5-intl_5.3.6-13_amd64.deb
c8f9377972ae060db4a5918247ed105f75c3ddbf5441572caf32bfd1ed80575e 19752
php5-ldap_5.3.6-13_amd64.deb
acdeb4daff596e48bf8f1262f376cd5e0a74296ea58cee6a3eb82bbd9fed0575 15278
php5-mcrypt_5.3.6-13_amd64.deb
73323f29a254bfaa62f53b2d180bb9cbf1df6ed80ee18345e2f141d12cdc243f 77008
php5-mysql_5.3.6-13_amd64.deb
c81570222fbddf6a5699a329311b1c147d7a10756fd45c35f1d17ed5b3c3d49b 36188
php5-odbc_5.3.6-13_amd64.deb
3a2b0d430cfb3eb17aa6cb61abc57de961abacf6a73ba33958d95e6e552d9f0b 60052
php5-pgsql_5.3.6-13_amd64.deb
fd327b172872e6dd74543798f91fc6d1b331f8472a6db001769a1dfb85068308 8384
php5-pspell_5.3.6-13_amd64.deb
3d7aab4748dd2defc1f02de235d7496ebbab6883567155ddf20242b57b721820 4314
php5-recode_5.3.6-13_amd64.deb
3072d2d3709638a55da9c93b8760230a0bc60a6aa0d04763012b8b5bcd96c125 11152
php5-snmp_5.3.6-13_amd64.deb
88fa1ee3b5f36eda3f41f9cd6a09235332c31d8abce523dcf5895ae9ba463207 56948
php5-sqlite_5.3.6-13_amd64.deb
91d25b3645c63515fc74ee296a63cd11e8fda9150728d37173ef44d8be10e81a 26822
php5-sybase_5.3.6-13_amd64.deb
43b9142f0739bef4e8a66241c65a90c33916b721aa054a9b425d9e4a968ba19f 18460
php5-tidy_5.3.6-13_amd64.deb
b0c800a2fa19c2d8d746fef74663343823cdfdb27162b7db64761d3afeb19dfc 35312
php5-xmlrpc_5.3.6-13_amd64.deb
114350e7aa398ed506abbf251818b752d8d397f35f5dc65974a9975ae0a7a0fd 13686
php5-xsl_5.3.6-13_amd64.deb
035a1b0e3a7ccce84e6d8278120631c2060d30796934c933a2d2bcc6dd2076a6 1056
php5_5.3.6-13_all.deb
47cab12f0182f1fb6c39a122e7e381e46464c85b10da06b78e4feeb5486a97c2 366206
php-pear_5.3.6-13_all.deb
Files:
0a63fd2455c32b04f5bedefc0aed7392 2640 php optional php5_5.3.6-13.dsc
2b542121aff65d80c1f94cd7ad3bbdda 197148 php optional php5_5.3.6-13.diff.gz
953c0242b71705bc18bb9ea0445deb5a 556408 php optional
php5-common_5.3.6-13_amd64.deb
168d2e84d301dd316251b7c49a6760be 3066118 httpd optional
libapache2-mod-php5_5.3.6-13_amd64.deb
f5037c946dc63c9565194f151c45f839 3065052 httpd extra
libapache2-mod-php5filter_5.3.6-13_amd64.deb
5967ddf6448ed157cdc3515624451e35 5959250 php optional
php5-cgi_5.3.6-13_amd64.deb
0b351b6cfc879b8b3c0b1642eaeb25e9 2972510 php optional
php5-cli_5.3.6-13_amd64.deb
97ab69bd513fa3055aa3396fb2bde88e 3010974 php optional
php5-fpm_5.3.6-13_amd64.deb
0159921d65c5d2bb746508bad41ac9dd 410338 php optional
php5-dev_5.3.6-13_amd64.deb
72dd4738ed7b0a9109163cb436dd2143 12923200 debug extra
php5-dbg_5.3.6-13_amd64.deb
7fb98ff522dddc0144e66cc63e377bc3 27236 php optional
php5-curl_5.3.6-13_amd64.deb
13d30139c5c68a05b2e04e8b3f5d25bc 9106 php optional
php5-enchant_5.3.6-13_amd64.deb
b817e3f73472e86d2858e070f17daed7 39382 php optional php5-gd_5.3.6-13_amd64.deb
74ee9e2e1e26b8325a9ae1cce1030a97 16626 php optional php5-gmp_5.3.6-13_amd64.deb
7671c4530b5d6483c661b7a7df08d2cc 35068 php optional
php5-imap_5.3.6-13_amd64.deb
278d6f4cfad405d2e00b14baf3d50b41 49202 php optional
php5-interbase_5.3.6-13_amd64.deb
771c98b76da3780ddc47a15cf8450300 60990 php optional
php5-intl_5.3.6-13_amd64.deb
d66f1a34c28f595f6625d14d4de47f84 19752 php optional
php5-ldap_5.3.6-13_amd64.deb
a1ee54f2b685db28c633391fe3a38b4b 15278 php optional
php5-mcrypt_5.3.6-13_amd64.deb
5f0cdd8f76a95c4ae1a1a9c0e81b1290 77008 php optional
php5-mysql_5.3.6-13_amd64.deb
88a7cb943b29f346441afdcd43fc8634 36188 php optional
php5-odbc_5.3.6-13_amd64.deb
482036ed6eadfd876f0292f3da70f034 60052 php optional
php5-pgsql_5.3.6-13_amd64.deb
ee95cda37b59865f908443d12b9632e8 8384 php optional
php5-pspell_5.3.6-13_amd64.deb
781cb855a76df2d53bc8842d86749454 4314 php optional
php5-recode_5.3.6-13_amd64.deb
a51a082ebc4872086150829d52e943b6 11152 php optional
php5-snmp_5.3.6-13_amd64.deb
f96cc94d91c087971e6b81acc36d45e9 56948 php optional
php5-sqlite_5.3.6-13_amd64.deb
461d15b925105bb1f0a25e93164ef8d8 26822 php optional
php5-sybase_5.3.6-13_amd64.deb
04f10d0605f58a5cd5fbdc2d56b8d14d 18460 php optional
php5-tidy_5.3.6-13_amd64.deb
feb6fb1243b9f89d975f1fb7cac81717 35312 php optional
php5-xmlrpc_5.3.6-13_amd64.deb
6a2216621d0038b925c1fcdeb86771cb 13686 php optional php5-xsl_5.3.6-13_amd64.deb
debb13951679a788de7260952e758083 1056 php optional php5_5.3.6-13_all.deb
db5e98f4658bb0fd2ffb006372e8c64b 366206 php optional php-pear_5.3.6-13_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk4RvHAACgkQ9OZqfMIN8nNeVQCeNGf0SeKv569iBU+5IPw180zX
UIkAoJfn1tBsu8HaSY2xSml4F+ay5xOD
=jOYW
-----END PGP SIGNATURE-----
--- End Message ---
