[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
We're way off topic now (sorry) but in fact Ubuntu does seem to realize there is a problem and is addressing it. My biggest complaint is that there was no news, and no clear way for me to help. They are now advertising for more security engineers, and I am applying. http://webapps.ubuntu.com/employment/canonical_SECE/ Thanks for listening Ubuntu, and hopefully your changes will both improve your security process and help take some of the load off the overworked security people. I believe some of both are necessary, but I'm only an outsider. If you're qualified, please consider applying for this job also, as we who are interested in Ubuntu's ongoing security will all benefit from them hiring the best person available for the job. -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
This has been addressed in Intrepid by updating to PHP 5 here: https://launchpad.net/ubuntu/intrepid/+source/php5/5.2.6-1ubuntu1 Minimal patch above in this post https://bugs.launchpad.net/ubuntu/+source/php5/+bug/227464/comments/15 Re: test cases: I've not yet seen widely published exploit code, and I'm not about to change that. Regression potential: It is vaguely possible the escapeshellcmd() change could have unintended affects, but extremely unlikely due to the limited use case of the function combined with necessity of using illegal characters in a multi-byte character set. The patches have also been widely tested at this point. The rest are pure bug fixes with infinitesimally low chance of side effects. -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
This has been addressed in Intrepid buy updating to PHP 5 here: https://launchpad.net/ubuntu/intrepid/+source/php5/5.2.6-1ubuntu1 Minimal patch above in this post https://bugs.launchpad.net/ubuntu/+source/php5/+bug/227464/comments/15 Re: test cases: I've not yet seen widely published exploit code, and I'm not about to change that. Regression potential: It is vaguely possible the escapeshellcmd() change could have unintended affects, but extremely unlikely due to the limited use case of the function combined with necessity of using illegal characters in a multi-byte character set. The patches have also been widely tested at this point. The rest are pure bug fixes with infinitesimally low chance of side effects. -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
Impact: Fixed possible stack buffer overflow in FastCGI SAPI Impact:Potential DOS and remote code execution if using FastCGI Updated PCRE to deal with issues fixed in USN-581-1 Impact:potential DOS and code execution Fixes CVE-2008-0599 Impact:Potential DOS and remote code execution Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. Impact: Potential overwriting of system files if cURL is in use POC code in the advisory: http://securityreason.com/achievement_securityalert/51 Properly address incomplete multibyte chars inside escapeshellcmd() Impact: If I understand correctly, useful for bypassing character based filtering, leading to remotely running arbitrary commands on the shell -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
Sorry, my listing of cURL exploit is not quite accurate, here's an updated version with that and some other fixes (let that be a lesson for you, not to post hastefully and in anger ;-) Impact: Fixed possible stack buffer overflow in FastCGI SAPI Impact:Potential DOS and remote code execution if using FastCGI Updated PCRE to deal with issues fixed in USN-581-1 Impact:Potential DOS and remote code execution Fixes CVE-2008-0599 Impact:Potential DOS and remote code execution Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz. Impact: Potential overwriting or stealing files on the server if cURL is in use Properly address incomplete multibyte chars inside escapeshellcmd() Impact: Bypassing character based filtering, leading to potentially remotely running arbitrary commands on the shell -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
I'm sorry for whining to the people who are subscribed to and care about this bug, but over 2 months since the release of a package with 3 claimed remotely exploitable code injection bugs makes me VERY hesitant to ever recommend Ubuntu for server use ever again. By this time even the slow moving redhat has updated and Ubuntu doesn't even have a package in -proposed. It seems all the hard work was completed over a month ago, and sits in Tormod Volden PPA, with no action since. As far as I can tell, everything else is political will. If there is no more forward, I will have to start explaining to the world how broken Ubuntu's security updating strategy is. I would prefer to put my effort in something more useful then being the squeaky wheel, and will take all suggestions of how I can help. I prefer action over complaining any day ;-) -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports
[Bug 227464] Re: Please roll out security fixes from PHP 5.2.6
Another month has passed, no release for Hardy. I'm not savvy enough with the Ubuntu release procedures to even know who to contact about this. Could someone tell me what it would take to get these bugs fixed in the current stable, advertised for server use Ubuntu? There are 3 remote code execution vulnerabilities fixed in these patches, that's no small thing, and makes it impossible for me to recommend Ubuntu for web server use at the moment. -- Please roll out security fixes from PHP 5.2.6 https://bugs.launchpad.net/bugs/227464 You received this bug notification because you are a member of Ubuntu Backports Testing Team, which is subscribed to Hardy Backports. -- ubuntu-backports mailing list ubuntu-backports@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-backports