Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thu, Feb 28, 2002 at 08:37:45AM -, Jeff wrote: > I received this CERT Advisory about 6 hours ago, regarding PHP. > The php website confirms the details: www.php.net > I think this is going to be a problem for us, due to the way > the Debian packaging works - > I guess that the immediate solution in this case is for us to > try to get the unstable Apache 1.3.23 package + an updated > PHP4 4.2.1 package + MySQL, SSL etc to work. - aint > going to be quick to test this and roll it out into production, > and in the mean time, we have production servers running > a PHP4 that has a now widely known security issue. Oh - and > yes, we could go out of business and not accept data, but > methinks my tenure would be somewhat shortened if I propose > that at our emergency security meeting in an hours time! > Help? Grab the php4.05 source package, patch and rebuild the package, then distribute. -- Share and Enjoy.
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thu, Feb 28, 2002 at 02:56:02PM -, Jeff wrote: > > Andrew Suffield wrote: > > Installing unstable packages is in no sense a solution, for > > people doing serious security setups. > What should be realised of course, is that Apache recommended > moving to 1.3.19 and quite some time ago 1.3.23 - so while you > might consider the packaging to be unstable, the product is not. > > PHP are supplying patches, but recommend an upgrade to 4.1.2 <...> > I don't really understand why other dists are able to package up > the upstream recommended versions, but Debian cannot? It is Debian security policy to backport fixes for `stable' instead of putting whole new package version there. And I can see several good reasons for doing that (it was also discussed to some extent at LWN some time ago). I wouldn't rush to upgrade to 1.3.23/4.1.2 before it floats around for some time. First, it may fix not all of the holes; second, fix in a hurry could introduce more bugs. And mixing potato with unstable/testing is no better (actually, worse) than switching to woody altogether. As you could see, Wichert is working on fix backport, and I would wait until he's done, and grab security update for potato. -- Dmitry Borodaenko
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thu, Feb 28, 2002 at 08:37:45AM -, Jeff wrote: > I received this CERT Advisory about 6 hours ago, regarding PHP. > The php website confirms the details: www.php.net > I think this is going to be a problem for us, due to the way > the Debian packaging works - > I guess that the immediate solution in this case is for us to > try to get the unstable Apache 1.3.23 package + an updated > PHP4 4.2.1 package + MySQL, SSL etc to work. - aint > going to be quick to test this and roll it out into production, > and in the mean time, we have production servers running > a PHP4 that has a now widely known security issue. Oh - and > yes, we could go out of business and not accept data, but > methinks my tenure would be somewhat shortened if I propose > that at our emergency security meeting in an hours time! > Help? Grab the php4.05 source package, patch and rebuild the package, then distribute. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thu, Feb 28, 2002 at 02:56:02PM -, Jeff wrote: > > Andrew Suffield wrote: > > Installing unstable packages is in no sense a solution, for > > people doing serious security setups. > What should be realised of course, is that Apache recommended > moving to 1.3.19 and quite some time ago 1.3.23 - so while you > might consider the packaging to be unstable, the product is not. > > PHP are supplying patches, but recommend an upgrade to 4.1.2 <...> > I don't really understand why other dists are able to package up > the upstream recommended versions, but Debian cannot? It is Debian security policy to backport fixes for `stable' instead of putting whole new package version there. And I can see several good reasons for doing that (it was also discussed to some extent at LWN some time ago). I wouldn't rush to upgrade to 1.3.23/4.1.2 before it floats around for some time. First, it may fix not all of the holes; second, fix in a hurry could introduce more bugs. And mixing potato with unstable/testing is no better (actually, worse) than switching to woody altogether. As you could see, Wichert is working on fix backport, and I would wait until he's done, and grab security update for potato. -- Dmitry Borodaenko -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
> Andrew Suffield wrote: > Installing unstable packages is in no sense a solution, for > people doing serious security setups. What should be realised of course, is that Apache recommended moving to 1.3.19 and quite some time ago 1.3.23 - so while you might consider the packaging to be unstable, the product is not. PHP are supplying patches, but recommend an upgrade to 4.1.2 So we have a conflict - the people who write Apache and PHP are recommending for production, versions that Debian has in unstable [with PHP a brand new version that has not yet reached unstable] I think this points to the major thing wrong with Debian. It is a fabulous, but very hard goal to create a completely stable distribution including thousands of packages for lots of platforms. The result of following this goal is that Debian is dropping further and further behind the current upstream production versions - even for not-very-often used products like Apache and PHP4 8-) I don't really understand why other dists are able to package up the upstream recommended versions, but Debian cannot? Would it be possible to create a separate archive of upstream recommended production versions of core things like: Apache, Perl, SSL, MySQL? I would guess that keeping a much smaller set of core applications and libraries consistent would be easier? Sigh - still no solution to the PHP hole... ATM the best bet seems to be a) building our own PHP4.1.2 b) waiting for the package maintainer. I do note that the PHP4 package maintainer is rather active, so I am holding out for B) atm. Have installed and tested Apache 1.3.23 which seems fine so far... Jeff
RE: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
> Andrew Suffield wrote: > Installing unstable packages is in no sense a solution, for > people doing serious security setups. What should be realised of course, is that Apache recommended moving to 1.3.19 and quite some time ago 1.3.23 - so while you might consider the packaging to be unstable, the product is not. PHP are supplying patches, but recommend an upgrade to 4.1.2 So we have a conflict - the people who write Apache and PHP are recommending for production, versions that Debian has in unstable [with PHP a brand new version that has not yet reached unstable] I think this points to the major thing wrong with Debian. It is a fabulous, but very hard goal to create a completely stable distribution including thousands of packages for lots of platforms. The result of following this goal is that Debian is dropping further and further behind the current upstream production versions - even for not-very-often used products like Apache and PHP4 8-) I don't really understand why other dists are able to package up the upstream recommended versions, but Debian cannot? Would it be possible to create a separate archive of upstream recommended production versions of core things like: Apache, Perl, SSL, MySQL? I would guess that keeping a much smaller set of core applications and libraries consistent would be easier? Sigh - still no solution to the PHP hole... ATM the best bet seems to be a) building our own PHP4.1.2 b) waiting for the package maintainer. I do note that the PHP4 package maintainer is rather active, so I am holding out for B) atm. Have installed and tested Apache 1.3.23 which seems fine so far... Jeff -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
Previously Andrew Suffield wrote: > The normal solution in debian is to backport a fix to stable. I see > php.org has a patch for php 4.0.6, this can probably be backported to > 4.0.3/4.0.5 fairly easily. Already done. Before being able to make a php security fix we need to fix the ABI changes in the SNMP security fix first, which is what I'm working on now. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thu, Feb 28, 2002 at 01:25:25PM +0200, Dmitry Borodaenko wrote: > Does apt from potato (0.3.19) support Pinning? I don't think so. Thus, > you will need to upgrade your apt manually first. > > On Thu, Feb 28, 2002 at 10:37:00AM +0100, Lupe Christoph wrote: > > If you want to run more up to date packages, you have to > > get them from the "testing", aka Woody release, or even from > > "unstable", aka Sid. None of which solves the problem of "How do I secure my servers?". Installing unstable packages is in no sense a solution, for people doing serious security setups. The normal solution in debian is to backport a fix to stable. I see php.org has a patch for php 4.0.6, this can probably be backported to 4.0.3/4.0.5 fairly easily. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | Dept. of Computing, `. `' | Imperial College, `- -><- | London, UK
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
Does apt from potato (0.3.19) support Pinning? I don't think so. Thus, you will need to upgrade your apt manually first. -- Dmitry Borodaenko On Thu, Feb 28, 2002 at 10:37:00AM +0100, Lupe Christoph wrote: > If you want to run more up to date packages, you have to > get them from the "testing", aka Woody release, or even from > "unstable", aka Sid. > > I'm doing the same from based on testing when I need packages > that aren't in testing (yet). Put this in /etc/apt/preferences: > > Package: * > Pin: release a=stable > Pin-Priority: 100 > > Package: * > Pin: release a=testing > Pin-Priority: -10 > > (Replace a=testing with a=unstable if you want or add > anothe paragraph for unstable. I'd assume the priority > for that should be even lower.) > > Now, you can manually install packages from testing with: > apt-get -t testing apache > Dependencies will be satisfied from that release, too. > So be careful not to download half of testing.
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thursday, 2002-02-28 at 08:37:45 -, Jeff wrote: > I received this CERT Advisory about 6 hours ago, regarding PHP. > The php website confirms the details: www.php.net > I think this is going to be a problem for us, due to the way > the Debian packaging works - > We upgraded to Apache 1.3.19-1 for security reasons. > Package dependencies meant we ended up with: > apache 1.3.19-1 > mod_ssl 2.8.2-1 > openssl 0.9.6a-3 > libssl0.9.6 0.9.6a3 > php4 4.0.5-2 > php4-mysql 4.0.5-2 > mysql-server 3.23.46-2 > mysql-common 3.23.46-2 > mysql-client 3.23.46-2 It looks like you are talking about Debian 2.2, aka Debian stable, aka Debian Potato. Yes, this is getting a little long in the tooth. If you want to run more up to date packages, you have to get them from the "testing", aka Woody release, or even from "unstable", aka Sid. I'm doing the same from based on testing when I need packages that aren't in testing (yet). Put this in /etc/apt/preferences: Package: * Pin: release a=stable Pin-Priority: 100 Package: * Pin: release a=testing Pin-Priority: -10 (Replace a=testing with a=unstable if you want or add anothe paragraph for unstable. I'd assume the priority for that should be even lower.) Now, you can manually install packages from testing with: apt-get -t testing apache Dependencies will be satisfied from that release, too. So be careful not to download half of testing. You would be even better off upgrading to testing, but the upgrade will probably be rough. Citing from the latest debian-new mail: > Upgrading from Potato to Woody. Dale Scheetz [14]completed his second > attempt at a smooth upgrade from Potato to Woody. Things went much > better this time, but there are still some slight gotchas that will > need to be detailed in the upgrade notes. Before actually upgrading, > one has to install new versions of apt, dpkg and apt-utils, though. > 14. http://lists.debian.org/debian-devel-0202/msg01868.html Maybe you should try to download packages and install them one by one. Or even compile Apache, PHP, etc. yourself. Or wait if somebody provides an updated php4 package (4.0.5-3?). HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm|
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
Previously Andrew Suffield wrote: > The normal solution in debian is to backport a fix to stable. I see > php.org has a patch for php 4.0.6, this can probably be backported to > 4.0.3/4.0.5 fairly easily. Already done. Before being able to make a php security fix we need to fix the ABI changes in the SNMP security fix first, which is what I'm working on now. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thu, Feb 28, 2002 at 01:25:25PM +0200, Dmitry Borodaenko wrote: > Does apt from potato (0.3.19) support Pinning? I don't think so. Thus, > you will need to upgrade your apt manually first. > > On Thu, Feb 28, 2002 at 10:37:00AM +0100, Lupe Christoph wrote: > > If you want to run more up to date packages, you have to > > get them from the "testing", aka Woody release, or even from > > "unstable", aka Sid. None of which solves the problem of "How do I secure my servers?". Installing unstable packages is in no sense a solution, for people doing serious security setups. The normal solution in debian is to backport a fix to stable. I see php.org has a patch for php 4.0.6, this can probably be backported to 4.0.3/4.0.5 fairly easily. -- .''`. ** Debian GNU/Linux ** | Andrew Suffield : :' : http://www.debian.org/ | Dept. of Computing, `. `' | Imperial College, `- -><- | London, UK -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
Does apt from potato (0.3.19) support Pinning? I don't think so. Thus, you will need to upgrade your apt manually first. -- Dmitry Borodaenko On Thu, Feb 28, 2002 at 10:37:00AM +0100, Lupe Christoph wrote: > If you want to run more up to date packages, you have to > get them from the "testing", aka Woody release, or even from > "unstable", aka Sid. > > I'm doing the same from based on testing when I need packages > that aren't in testing (yet). Put this in /etc/apt/preferences: > > Package: * > Pin: release a=stable > Pin-Priority: 100 > > Package: * > Pin: release a=testing > Pin-Priority: -10 > > (Replace a=testing with a=unstable if you want or add > anothe paragraph for unstable. I'd assume the priority > for that should be even lower.) > > Now, you can manually install packages from testing with: > apt-get -t testing apache > Dependencies will be satisfied from that release, too. > So be careful not to download half of testing. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
On Thursday, 2002-02-28 at 08:37:45 -, Jeff wrote: > I received this CERT Advisory about 6 hours ago, regarding PHP. > The php website confirms the details: www.php.net > I think this is going to be a problem for us, due to the way > the Debian packaging works - > We upgraded to Apache 1.3.19-1 for security reasons. > Package dependencies meant we ended up with: > apache 1.3.19-1 > mod_ssl 2.8.2-1 > openssl 0.9.6a-3 > libssl0.9.6 0.9.6a3 > php4 4.0.5-2 > php4-mysql 4.0.5-2 > mysql-server 3.23.46-2 > mysql-common 3.23.46-2 > mysql-client 3.23.46-2 It looks like you are talking about Debian 2.2, aka Debian stable, aka Debian Potato. Yes, this is getting a little long in the tooth. If you want to run more up to date packages, you have to get them from the "testing", aka Woody release, or even from "unstable", aka Sid. I'm doing the same from based on testing when I need packages that aren't in testing (yet). Put this in /etc/apt/preferences: Package: * Pin: release a=stable Pin-Priority: 100 Package: * Pin: release a=testing Pin-Priority: -10 (Replace a=testing with a=unstable if you want or add anothe paragraph for unstable. I'd assume the priority for that should be even lower.) Now, you can manually install packages from testing with: apt-get -t testing apache Dependencies will be satisfied from that release, too. So be careful not to download half of testing. You would be even better off upgrading to testing, but the upgrade will probably be rough. Citing from the latest debian-new mail: > Upgrading from Potato to Woody. Dale Scheetz [14]completed his second > attempt at a smooth upgrade from Potato to Woody. Things went much > better this time, but there are still some slight gotchas that will > need to be detailed in the upgrade notes. Before actually upgrading, > one has to install new versions of apt, dpkg and apt-utils, though. > 14. http://lists.debian.org/debian-devel-0202/msg01868.html Maybe you should try to download packages and install them one by one. Or even compile Apache, PHP, etc. yourself. Or wait if somebody provides an updated php4 package (4.0.5-3?). HTH, Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
