Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Petro
On Thu, Feb 28, 2002 at 08:37:45AM -, Jeff wrote:
> I received this CERT Advisory about 6 hours ago, regarding PHP. 
> The php website confirms the details: www.php.net
> I think this is going to be a problem for us, due to the way
> the Debian packaging works - 
> I guess that the immediate solution in this case is for us to
> try to get the unstable Apache 1.3.23 package + an updated
> PHP4 4.2.1 package + MySQL, SSL etc to work.  - aint
> going to be quick to test this and roll it out into production, 
> and in the mean time, we have production servers running
> a PHP4 that has a now widely known security issue. Oh - and 
> yes, we could go out of business and not accept data, but
> methinks my tenure would be somewhat shortened if I propose
> that at our emergency security meeting in an hours time!
> Help?

Grab the php4.05 source package, patch and rebuild the package, then 
distribute.

-- 
Share and Enjoy. 



Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Dmitry Borodaenko
On Thu, Feb 28, 2002 at 02:56:02PM -, Jeff wrote:
> > Andrew Suffield wrote:
> > Installing unstable packages is in no sense a solution, for
> > people doing serious security setups.
> What should be realised of course, is that Apache recommended
> moving to 1.3.19 and quite some time ago 1.3.23 - so while you
> might consider the packaging to be unstable, the product is not.
> 
> PHP are supplying patches, but recommend an upgrade to 4.1.2
<...>
> I don't really understand why other dists are able to package up
> the upstream recommended versions, but Debian cannot? 

It is Debian security policy to backport fixes for `stable' instead of
putting whole new package version there. And I can see several good
reasons for doing that (it was also discussed to some extent at LWN some
time ago).

I wouldn't rush to upgrade to 1.3.23/4.1.2 before it floats around for
some time. First, it may fix not all of the holes; second, fix in a
hurry could introduce more bugs. And mixing potato with unstable/testing
is no better (actually, worse) than switching to woody altogether.

As you could see, Wichert is working on fix backport, and I would wait
until he's done, and grab security update for potato.

-- 
Dmitry Borodaenko



Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Petro

On Thu, Feb 28, 2002 at 08:37:45AM -, Jeff wrote:
> I received this CERT Advisory about 6 hours ago, regarding PHP. 
> The php website confirms the details: www.php.net
> I think this is going to be a problem for us, due to the way
> the Debian packaging works - 
> I guess that the immediate solution in this case is for us to
> try to get the unstable Apache 1.3.23 package + an updated
> PHP4 4.2.1 package + MySQL, SSL etc to work.  - aint
> going to be quick to test this and roll it out into production, 
> and in the mean time, we have production servers running
> a PHP4 that has a now widely known security issue. Oh - and 
> yes, we could go out of business and not accept data, but
> methinks my tenure would be somewhat shortened if I propose
> that at our emergency security meeting in an hours time!
> Help?

Grab the php4.05 source package, patch and rebuild the package, then 
distribute.

-- 
Share and Enjoy. 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Dmitry Borodaenko

On Thu, Feb 28, 2002 at 02:56:02PM -, Jeff wrote:
> > Andrew Suffield wrote:
> > Installing unstable packages is in no sense a solution, for
> > people doing serious security setups.
> What should be realised of course, is that Apache recommended
> moving to 1.3.19 and quite some time ago 1.3.23 - so while you
> might consider the packaging to be unstable, the product is not.
> 
> PHP are supplying patches, but recommend an upgrade to 4.1.2
<...>
> I don't really understand why other dists are able to package up
> the upstream recommended versions, but Debian cannot? 

It is Debian security policy to backport fixes for `stable' instead of
putting whole new package version there. And I can see several good
reasons for doing that (it was also discussed to some extent at LWN some
time ago).

I wouldn't rush to upgrade to 1.3.23/4.1.2 before it floats around for
some time. First, it may fix not all of the holes; second, fix in a
hurry could introduce more bugs. And mixing potato with unstable/testing
is no better (actually, worse) than switching to woody altogether.

As you could see, Wichert is working on fix backport, and I would wait
until he's done, and grab security update for potato.

-- 
Dmitry Borodaenko


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Jeff
> Andrew Suffield wrote:
> Installing unstable packages is in no sense a solution, for
> people doing serious security setups.

What should be realised of course, is that Apache recommended
moving to 1.3.19 and quite some time ago 1.3.23 - so while you
might consider the packaging to be unstable, the product is not.

PHP are supplying patches, but recommend an upgrade to 4.1.2

So we have a conflict - the people who write Apache and PHP are
recommending for production, versions that Debian has in unstable
[with PHP a brand new version that has not yet reached unstable]

I think this points to the major thing wrong with Debian.
It is a fabulous, but very hard goal to create a completely stable 
distribution including thousands of packages for lots of platforms.

The result of following this goal is that Debian is dropping further 
and further behind the current upstream production versions - even
for not-very-often used products like Apache and PHP4 8-)

I don't really understand why other dists are able to package up
the upstream recommended versions, but Debian cannot? 

Would it be possible to create a separate archive of upstream 
recommended production versions of core things like: Apache, Perl, 
SSL, MySQL? I would guess that keeping a much smaller set of core
applications and libraries consistent would be easier?

Sigh - still no solution to the PHP hole... 
ATM the best bet seems to be 
a) building our own PHP4.1.2  
b) waiting for the package maintainer.

I do note that the PHP4 package maintainer is rather active, so
I am holding out for B) atm. Have installed and tested Apache 1.3.23
which seems fine so far...


Jeff




RE: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Jeff

> Andrew Suffield wrote:
> Installing unstable packages is in no sense a solution, for
> people doing serious security setups.

What should be realised of course, is that Apache recommended
moving to 1.3.19 and quite some time ago 1.3.23 - so while you
might consider the packaging to be unstable, the product is not.

PHP are supplying patches, but recommend an upgrade to 4.1.2

So we have a conflict - the people who write Apache and PHP are
recommending for production, versions that Debian has in unstable
[with PHP a brand new version that has not yet reached unstable]

I think this points to the major thing wrong with Debian.
It is a fabulous, but very hard goal to create a completely stable 
distribution including thousands of packages for lots of platforms.

The result of following this goal is that Debian is dropping further 
and further behind the current upstream production versions - even
for not-very-often used products like Apache and PHP4 8-)

I don't really understand why other dists are able to package up
the upstream recommended versions, but Debian cannot? 

Would it be possible to create a separate archive of upstream 
recommended production versions of core things like: Apache, Perl, 
SSL, MySQL? I would guess that keeping a much smaller set of core
applications and libraries consistent would be easier?

Sigh - still no solution to the PHP hole... 
ATM the best bet seems to be 
a) building our own PHP4.1.2  
b) waiting for the package maintainer.

I do note that the PHP4 package maintainer is rather active, so
I am holding out for B) atm. Have installed and tested Apache 1.3.23
which seems fine so far...


Jeff



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Wichert Akkerman
Previously Andrew Suffield wrote:
> The normal solution in debian is to backport a fix to stable. I see
> php.org has a patch for php 4.0.6, this can probably be backported to
> 4.0.3/4.0.5 fairly easily.

Already done. Before being able to make a php security fix we need
to fix the ABI changes in the SNMP security fix first, which is what
I'm working on now.

Wichert.

-- 
  _
 /[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |



Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Andrew Suffield
On Thu, Feb 28, 2002 at 01:25:25PM +0200, Dmitry Borodaenko wrote:
> Does apt from potato (0.3.19) support Pinning? I don't think so. Thus,
> you will need to upgrade your apt manually first.
> 
> On Thu, Feb 28, 2002 at 10:37:00AM +0100, Lupe Christoph wrote:
> > If you want to run more up to date packages, you have to
> > get them from the "testing", aka Woody release, or even from
> > "unstable", aka Sid.

None of which solves the problem of "How do I secure my
servers?". Installing unstable packages is in no sense a solution, for
people doing serious security setups.

The normal solution in debian is to backport a fix to stable. I see
php.org has a patch for php 4.0.6, this can probably be backported to
4.0.3/4.0.5 fairly easily.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ | Dept. of Computing,
 `. `'  | Imperial College,
   `- -><-  | London, UK



Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Dmitry Borodaenko
Does apt from potato (0.3.19) support Pinning? I don't think so. Thus,
you will need to upgrade your apt manually first.

-- 
Dmitry Borodaenko

On Thu, Feb 28, 2002 at 10:37:00AM +0100, Lupe Christoph wrote:
> If you want to run more up to date packages, you have to
> get them from the "testing", aka Woody release, or even from
> "unstable", aka Sid.
> 
> I'm doing the same from based on testing when I need packages
> that aren't in testing (yet). Put this in /etc/apt/preferences:
> 
> Package: *
> Pin: release a=stable
> Pin-Priority: 100
> 
> Package: *
> Pin: release a=testing
> Pin-Priority: -10
> 
> (Replace a=testing with a=unstable if you want or add
> anothe paragraph for unstable. I'd assume the priority
> for that should be even lower.)
> 
> Now, you can manually install packages from testing with:
>   apt-get -t testing apache
> Dependencies will be satisfied from that release, too.
> So be careful not to download half of testing.



Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Lupe Christoph
On Thursday, 2002-02-28 at 08:37:45 -, Jeff wrote:
> I received this CERT Advisory about 6 hours ago, regarding PHP. 
> The php website confirms the details: www.php.net

> I think this is going to be a problem for us, due to the way
> the Debian packaging works - 

> We upgraded to Apache 1.3.19-1 for security reasons.
> Package dependencies meant we ended up with:
>   apache   1.3.19-1
>   mod_ssl  2.8.2-1
>   openssl  0.9.6a-3
>   libssl0.9.6  0.9.6a3
>   php4 4.0.5-2
>   php4-mysql   4.0.5-2
>   mysql-server 3.23.46-2
>   mysql-common 3.23.46-2
>   mysql-client 3.23.46-2

It looks like you are talking about Debian 2.2, aka Debian stable,
aka Debian Potato. Yes, this is getting a little long in the tooth.
If you want to run more up to date packages, you have to
get them from the "testing", aka Woody release, or even from
"unstable", aka Sid.

I'm doing the same from based on testing when I need packages
that aren't in testing (yet). Put this in /etc/apt/preferences:

Package: *
Pin: release a=stable
Pin-Priority: 100

Package: *
Pin: release a=testing
Pin-Priority: -10

(Replace a=testing with a=unstable if you want or add
anothe paragraph for unstable. I'd assume the priority
for that should be even lower.)

Now, you can manually install packages from testing with:
apt-get -t testing apache
Dependencies will be satisfied from that release, too.
So be careful not to download half of testing.

You would be even better off upgrading to testing,
but the upgrade will probably be rough. Citing from the
latest debian-new mail:

> Upgrading from Potato to Woody. Dale Scheetz [14]completed his second
> attempt at a smooth upgrade from Potato to Woody. Things went much
> better this time, but there are still some slight gotchas that will
> need to be detailed in the upgrade notes. Before actually upgrading,
> one has to install new versions of apt, dpkg and apt-utils, though.

>  14. http://lists.debian.org/debian-devel-0202/msg01868.html

Maybe you should try to download packages and install them one by one.
Or even compile Apache, PHP, etc. yourself.

Or wait if somebody provides an updated php4 package (4.0.5-3?).

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|



Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Wichert Akkerman

Previously Andrew Suffield wrote:
> The normal solution in debian is to backport a fix to stable. I see
> php.org has a patch for php 4.0.6, this can probably be backported to
> 4.0.3/4.0.5 fairly easily.

Already done. Before being able to make a php security fix we need
to fix the ABI changes in the SNMP security fix first, which is what
I'm working on now.

Wichert.

-- 
  _
 [EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Andrew Suffield

On Thu, Feb 28, 2002 at 01:25:25PM +0200, Dmitry Borodaenko wrote:
> Does apt from potato (0.3.19) support Pinning? I don't think so. Thus,
> you will need to upgrade your apt manually first.
> 
> On Thu, Feb 28, 2002 at 10:37:00AM +0100, Lupe Christoph wrote:
> > If you want to run more up to date packages, you have to
> > get them from the "testing", aka Woody release, or even from
> > "unstable", aka Sid.

None of which solves the problem of "How do I secure my
servers?". Installing unstable packages is in no sense a solution, for
people doing serious security setups.

The normal solution in debian is to backport a fix to stable. I see
php.org has a patch for php 4.0.6, this can probably be backported to
4.0.3/4.0.5 fairly easily.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ | Dept. of Computing,
 `. `'  | Imperial College,
   `- -><-  | London, UK


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Dmitry Borodaenko

Does apt from potato (0.3.19) support Pinning? I don't think so. Thus,
you will need to upgrade your apt manually first.

-- 
Dmitry Borodaenko

On Thu, Feb 28, 2002 at 10:37:00AM +0100, Lupe Christoph wrote:
> If you want to run more up to date packages, you have to
> get them from the "testing", aka Woody release, or even from
> "unstable", aka Sid.
> 
> I'm doing the same from based on testing when I need packages
> that aren't in testing (yet). Put this in /etc/apt/preferences:
> 
> Package: *
> Pin: release a=stable
> Pin-Priority: 100
> 
> Package: *
> Pin: release a=testing
> Pin-Priority: -10
> 
> (Replace a=testing with a=unstable if you want or add
> anothe paragraph for unstable. I'd assume the priority
> for that should be even lower.)
> 
> Now, you can manually install packages from testing with:
>   apt-get -t testing apache
> Dependencies will be satisfied from that release, too.
> So be careful not to download half of testing.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Lupe Christoph

On Thursday, 2002-02-28 at 08:37:45 -, Jeff wrote:
> I received this CERT Advisory about 6 hours ago, regarding PHP. 
> The php website confirms the details: www.php.net

> I think this is going to be a problem for us, due to the way
> the Debian packaging works - 

> We upgraded to Apache 1.3.19-1 for security reasons.
> Package dependencies meant we ended up with:
>   apache   1.3.19-1
>   mod_ssl  2.8.2-1
>   openssl  0.9.6a-3
>   libssl0.9.6  0.9.6a3
>   php4 4.0.5-2
>   php4-mysql   4.0.5-2
>   mysql-server 3.23.46-2
>   mysql-common 3.23.46-2
>   mysql-client 3.23.46-2

It looks like you are talking about Debian 2.2, aka Debian stable,
aka Debian Potato. Yes, this is getting a little long in the tooth.
If you want to run more up to date packages, you have to
get them from the "testing", aka Woody release, or even from
"unstable", aka Sid.

I'm doing the same from based on testing when I need packages
that aren't in testing (yet). Put this in /etc/apt/preferences:

Package: *
Pin: release a=stable
Pin-Priority: 100

Package: *
Pin: release a=testing
Pin-Priority: -10

(Replace a=testing with a=unstable if you want or add
anothe paragraph for unstable. I'd assume the priority
for that should be even lower.)

Now, you can manually install packages from testing with:
apt-get -t testing apache
Dependencies will be satisfied from that release, too.
So be careful not to download half of testing.

You would be even better off upgrading to testing,
but the upgrade will probably be rough. Citing from the
latest debian-new mail:

> Upgrading from Potato to Woody. Dale Scheetz [14]completed his second
> attempt at a smooth upgrade from Potato to Woody. Things went much
> better this time, but there are still some slight gotchas that will
> need to be detailed in the upgrade notes. Before actually upgrading,
> one has to install new versions of apt, dpkg and apt-utils, though.

>  14. http://lists.debian.org/debian-devel-0202/msg01868.html

Maybe you should try to download packages and install them one by one.
Or even compile Apache, PHP, etc. yourself.

Or wait if somebody provides an updated php4 package (4.0.5-3?).

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Jeff
I received this CERT Advisory about 6 hours ago, regarding PHP. 
The php website confirms the details: www.php.net

I think this is going to be a problem for us, due to the way
the Debian packaging works - 

We upgraded to Apache 1.3.19-1 for security reasons.
Package dependencies meant we ended up with:
  apache   1.3.19-1
  mod_ssl  2.8.2-1
  openssl  0.9.6a-3
  libssl0.9.6  0.9.6a3
  php4 4.0.5-2
  php4-mysql   4.0.5-2
  mysql-server 3.23.46-2
  mysql-common 3.23.46-2
  mysql-client 3.23.46-2

Getting all the cross-dependencies to work was difficult,
and we tried to get Apache 1.3.22 working, but the build
in test 1.3.22-5 is badly broken with an Apache bug from 
some time ago, where QUERY_STRING is not populated when
using multiviews.

We originally selected Debian due to the granularity of the
packaging system, however stable is now lagging so far behind
the real world that we have been forced to do a lot of jiggery
pokey to get basic things like Apache/PHP4/MySQL/SSL to work.

I guess that the immediate solution in this case is for us to
try to get the unstable Apache 1.3.23 package + an updated
PHP4 4.2.1 package + MySQL, SSL etc to work.  - aint
going to be quick to test this and roll it out into production, 
and in the mean time, we have production servers running
a PHP4 that has a now widely known security issue. Oh - and 
yes, we could go out of business and not accept data, but
methinks my tenure would be somewhat shortened if I propose
that at our emergency security meeting in an hours time!

Help?




CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

2002-02-28 Thread Jeff

I received this CERT Advisory about 6 hours ago, regarding PHP. 
The php website confirms the details: www.php.net

I think this is going to be a problem for us, due to the way
the Debian packaging works - 

We upgraded to Apache 1.3.19-1 for security reasons.
Package dependencies meant we ended up with:
  apache   1.3.19-1
  mod_ssl  2.8.2-1
  openssl  0.9.6a-3
  libssl0.9.6  0.9.6a3
  php4 4.0.5-2
  php4-mysql   4.0.5-2
  mysql-server 3.23.46-2
  mysql-common 3.23.46-2
  mysql-client 3.23.46-2

Getting all the cross-dependencies to work was difficult,
and we tried to get Apache 1.3.22 working, but the build
in test 1.3.22-5 is badly broken with an Apache bug from 
some time ago, where QUERY_STRING is not populated when
using multiviews.

We originally selected Debian due to the granularity of the
packaging system, however stable is now lagging so far behind
the real world that we have been forced to do a lot of jiggery
pokey to get basic things like Apache/PHP4/MySQL/SSL to work.

I guess that the immediate solution in this case is for us to
try to get the unstable Apache 1.3.23 package + an updated
PHP4 4.2.1 package + MySQL, SSL etc to work.  - aint
going to be quick to test this and roll it out into production, 
and in the mean time, we have production servers running
a PHP4 that has a now widely known security issue. Oh - and 
yes, we could go out of business and not accept data, but
methinks my tenure would be somewhat shortened if I propose
that at our emergency security meeting in an hours time!

Help?



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]