Your message dated Sun, 20 Dec 2020 13:57:55 +0000 with message-id <e1kqzdf-0005xq...@fasolo.debian.org> and subject line Bug#976108: fixed in php-pear 1:1.10.6+submodules+notgz-1.1+deb10u1 has caused the Debian Bug report #976108, regarding php-pear: CVE-2020-28948 CVE-2020-28949 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 976108: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976108 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: php-pear Version: 1:1.10.9+submodules+notgz-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/pear/Archive_Tar/issues/33 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 1:1.10.6+submodules+notgz-1.1 Hi, The following vulnerabilities were published for php-pear. CVE-2020-28948[0]: | Archive_Tar through 1.4.10 allows an unserialization attack because | phar: is blocked but PHAR: is not blocked. CVE-2020-28949[1]: | Archive_Tar through 1.4.10 has :// filename sanitization only to | address phar attacks, and thus any other stream-wrapper attack (such | as file:// to overwrite files) can still succeed. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-28948 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28948 [1] https://security-tracker.debian.org/tracker/CVE-2020-28949 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28949 [2] https://github.com/pear/Archive_Tar/issues/33 [3] https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: php-pear Source-Version: 1:1.10.6+submodules+notgz-1.1+deb10u1 Done: Salvatore Bonaccorso <car...@debian.org> We believe that the bug you reported is fixed in the latest version of php-pear, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 976...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated php-pear package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 06 Dec 2020 16:03:59 +0100 Source: php-pear Architecture: source Version: 1:1.10.6+submodules+notgz-1.1+deb10u1 Distribution: buster-security Urgency: high Maintainer: Debian PHP PEAR Maintainers <pkg-php-p...@lists.alioth.debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 976108 Changes: php-pear (1:1.10.6+submodules+notgz-1.1+deb10u1) buster-security; urgency=high . * Non-maintainer upload by the Security Team. * ensure we catch additional malicious/crafted filenames (CVE-2020-28948, CVE-2020-28949) (Closes: #976108) Checksums-Sha1: 2330d4708878fd03a96b56ec5815ff98e3dc9ddf 2284 php-pear_1.10.6+submodules+notgz-1.1+deb10u1.dsc d2d23d9bfcdfce2af7a2ecf78475c725816f4999 2212375 php-pear_1.10.6+submodules+notgz.orig.tar.gz c0934b0e2f73bad8e9d50d9f35b3f9e841ff5ba1 6900 php-pear_1.10.6+submodules+notgz-1.1+deb10u1.debian.tar.xz Checksums-Sha256: 756f6a58d08c040c8cb330342e67cd8c5a4fab6ca162e52de68882c9ba428f3c 2284 php-pear_1.10.6+submodules+notgz-1.1+deb10u1.dsc 239d656f5b88a914552ac10b524551bf052b3f59aa9c57995c8aed6e48b15389 2212375 php-pear_1.10.6+submodules+notgz.orig.tar.gz 41d2d3ba60b92f3950db892f48b7c1f08ecd248cf1439b4a943e91374cced032 6900 php-pear_1.10.6+submodules+notgz-1.1+deb10u1.debian.tar.xz Files: b411b67725bd1860f63868c697ed2fcb 2284 php optional php-pear_1.10.6+submodules+notgz-1.1+deb10u1.dsc 781a7e0d311e16ca7b5e64fcb66b6eac 2212375 php optional php-pear_1.10.6+submodules+notgz.orig.tar.gz 950da5acb41c811754e0c5d87e3876c8 6900 php optional php-pear_1.10.6+submodules+notgz-1.1+deb10u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl/M8+dfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ELy4P/2DZkR88dfYnPzA4YJ85GpxzoheJq/qY 0ELVkzWyvJxuCKixefXXsHqzcxKNJtOhbuEejBv6DTLs3LinVeBGyeOcQc63198r rL7nXzU43E63Wp+epi5vgojO6vzwDjaFDoLlJguCTW0YVJaXKK89BYdCe0Uf0dLr gVuldYRf/pW58DpdXU6yxXdG2NzCIcBN5hK1URh/9vBYmPLR8jVT4VmsdKL1QNPW YvjGo50B/nbtfY/lWaexS6bPnmhcVhT8xUK33j8ykHInQUb9WA5QqZmx7SPWLZxN aJoyvOlcr41gXatpnUDTR7hRCSomFCuPKZWfAC/ICj9lPEvwZMeKTSfxxiKVYqdg DNAbxQgF/D+ETJWxZSw2hPsBu0FZw/WtJfegsSSQXRYrK1YOvocDMc8uYWSlookr h0YPqz6K0f+erpzKU/3V5mssX/guPMroijSaA5W4ttpvNpyNXRL5KiB1EYxp5GEU WI711fxGtXlPFPcTbmv5ngvcLbLdNHn9c/Px1m9L2TsVbGBGJcZAijpWNtTWNs9j XOoEZVUgXC+E9UwZtmPjalqy6UZLVAxYs4GzahmOnY9ZJjcuqJGaJRhPqsl4mY5t BWiN2C1bKkkzuUwn8olPNsqC1GTKq+DI0IUx4+dvw0CjGXeFoLctIJK/Em9yjtTo D4E95VaZCHsk =7jk0 -----END PGP SIGNATURE-----
--- End Message ---
