Netmaking welcome email
Velkommen som bruker av support.netmaking.no http://support.netmaking.no/verification/email/E5xE6FTq8AIhLlBZi1jE9HOGO/ This email is a service from Netmaking.
Re: [SECURITY] [DSA 3074-1] php5 security update
Yves-Alexis Perez wrote... - Debian Security Advisory DSA-3074-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez November 18, 2014 http://www.debian.org/security/faq - Package: php5 CVE ID : CVE-2014-3710 Debian Bug : 68283 Um, that number is wrong. It isn't #768283 either. Worse, that update broke things: | From: root@host-redacted (Cron Daemon) | To: root@host-redacted | Subject: Cron root@host-redacted [ -x /usr/lib/php5/maxlifetime ] [ -x /usr/lib/php5/sessionclean ] [ -d /var/lib/php5 ] /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime) | | sed: invalid option -- 'z' | Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]... | | -n, --quiet, --silent | suppress automatic printing of pattern space The -z option isn't available in the wheezy version of sed. For the records, this is the change in sessionclean: --- /tmp/sessionclean 2014-10-20 11:03:53.0 +0200 +++ /usr/lib/php5/sessionclean 2014-11-18 08:02:56.0 +0100 @@ -1,7 +1,7 @@ #!/bin/sh # first find all used files and touch them (hope it's not massive amount of files) -[ -x /usr/bin/lsof ] /usr/bin/lsof -w -l +d ${1} | awk -- '{ if (NR 1) { print $9; } }' | xargs -i touch -c {} +[ -x /usr/bin/lsof ] /usr/bin/lsof -w -l +d ${1} -F0 | sed -zne s/^n//p | xargs -0i echo touch -c -h '{}' # find all files older then maxlifetime find ${1} -depth -mindepth 1 -maxdepth 1 -ignore_readdir_race -type f -cmin +${2} -delete Regards, Christoph signature.asc Description: Digital signature
Re: [SECURITY] [DSA 3074-1] php5 security update
/usr/lib/php5/sessionclean in the update uses the -z option of sed, but sed in wheezy doesn't have that option. In the update, the critical change: [ -x /usr/bin/lsof ] /usr/bin/lsof -w -l +d ${1} -F0 | sed -zne s/^n//p | xargs -0i echo touch -c -h '{}' previous version: [ -x /usr/bin/lsof ] /usr/bin/lsof -w -l +d ${1} | awk -- '{ if (NR 1) { print $9; } }' | xargs -i touch -c {} Regards, Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/546bc1f5.1060...@mega.co.nz
Re: [SECURITY] [DSA 3074-1] php5 security update
Christoph Biedl wrote... +[ -x /usr/bin/lsof ] /usr/bin/lsof -w -l +d ${1} -F0 | sed -zne s/^n//p | xargs -0i echo touch -c -h '{}' Addendum, that echo rather looks like debugging. Christoph signature.asc Description: Digital signature
Re: [SECURITY] [DSA 3074-1] php5 security update
Just filed a bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770105 cheers daniel -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/546bc6d3.9040...@nachtgeist.net
Re: [SECURITY] [DSA 3074-1] php5 security update
This update is incompatible with sed and gives some trouble on webservers in /use/lib/php5/sessionclean (invalid option -- z) On 18 nov. 2014, at 22:10, Yves-Alexis Perez cor...@debian.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3074-1 secur...@debian.org http://www.debian.org/security/ Yves-Alexis Perez November 18, 2014 http://www.debian.org/security/faq - - Package: php5 CVE ID : CVE-2014-3710 Debian Bug : 68283 Francisco Alonso of Red Hat Product Security found an issue in the file utility, whose code is embedded in PHP, a general-purpose scripting language. When checking ELF files, note headers are incorrectly checked, thus potentially allowing attackers to cause a denial of service (out-of-bounds read and application crash) by supplying a specially crafted ELF file. As announced in DSA-3064-1 it has been decided to follow the stable 5.4.x releases for the Wheezy php5 packages. Consequently the vulnerability is addressed by upgrading PHP to a new upstream version 5.4.35, which includes additional bug fixes, new features and possibly incompatible changes. Please refer to the upstream changelog for more information: http://php.net/ChangeLog-5.php#5.4.35 For the stable distribution (wheezy), this problem has been fixed in version 5.4.35-0+deb7u1. We recommend that you upgrade your php5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCgAGBQJUa7XMAAoJEG3bU/KmdcClzHgH/3sZmgwrWGUenVLcg3c8TWE3 uPMWOrUcRmPLzkyWuixKKaU1nijwB3EEYknNqGKqT87lLmZIntWF9FoJXfX6mxrg UpeSHQTknLPdL8w6gAg2KTFCkua+k8wIOqmW7TSpSHr6LU6Aq6ePkBGzBfEaXWLK JbL1HE8/SmfQ5+DWbaxz+g9cb5vJRHUUWGbTs2WotdrBlYho9wz4cSlx9khEIt3V B/NJ3Etvl7UMgS7Tii3h0WW+hksrgrXt8itBj7aNtasnFNf3iySlUoEaxeotIugu W6chDiuEKYdsq1jDdl0T/GhT2K9UxGIPoTwhvygLbGO20bw1Ux1Ku+r2qSNfryY= =0CGm -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-announce-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141118211042.ga9...@scapa.corsac.net -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/9ee2152b-8d32-4dc8-89a8-5eaad6581...@harperink.de
Re: [SECURITY] [DSA 3074-1] php5 security update
On mar., 2014-11-18 at 22:59 +0100, Christoph Biedl wrote: Um, that number is wrong. It isn't #768283 either. Definitely. This is a PHP bug number… Worse, that update broke things: | From: root@host-redacted (Cron Daemon) | To: root@host-redacted | Subject: Cron root@host-redacted [ -x /usr/lib/php5/maxlifetime ] [ -x /usr/lib/php5/sessionclean ] [ -d /var/lib/php5 ] /usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime) | | sed: invalid option -- 'z' | Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]... | | -n, --quiet, --silent | suppress automatic printing of pattern space The -z option isn't available in the wheezy version of sed. For the records, this is the change in sessionclean: Yes, we're aware of that and working on a quick regression update. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part