2009/stable/programming/language/php/php - Merge from devel/programming/language/php/php
Eren Türkay
paketler-commits at pardus.org.tr
Sun Nov 22 03:06:03 EET 2009
Author: erenturkay
Date: Sun Nov 22 03:06:02 2009
New Revision: 80821
Added:
2009/stable/programming/language/php/php/files/CVE-2009-3557-tempnam-safemode-bypass.patch
- copied unchanged from r80820, 2009/devel/programming/language/php/php/files/CVE-2009-3557-tempnam-safemode-bypass.patch
2009/stable/programming/language/php/php/files/CVE-2009-3558-posix_mkfifo-openbasedir-bypass.patch
- copied unchanged from r80820, 2009/devel/programming/language/php/php/files/CVE-2009-3558-posix_mkfifo-openbasedir-bypass.patch
2009/stable/programming/language/php/php/files/limit-maxfileuploads-to-prevent-multipart-dos.patch
- copied unchanged from r80820, 2009/devel/programming/language/php/php/files/limit-maxfileuploads-to-prevent-multipart-dos.patch
Modified:
2009/stable/programming/language/php/php/ (props changed)
2009/stable/programming/language/php/php/actions.py
2009/stable/programming/language/php/php/pspec.xml
Log:
Merge from devel/programming/language/php/php:
rev. 80808, by erenturkay on 2009-11-21
It's possible to cause DOS with requests containing 160.000+ file uploads, limit max_uploads to 20. (#11580)
It seems that backported patch doesn't work. I'm investigating the issue. Will try updating to PHP 5.3.1
BUG:COMMENT:11580
rev. 80820, by erenturkay on 2009-11-22
Fix 2 security vulnerabilities, too. Previous DOS patch was right, I mistakenly checked and thought it was not fixed..
---
actions.py | 2
files/CVE-2009-3557-tempnam-safemode-bypass.patch | 13 ++
files/CVE-2009-3558-posix_mkfifo-openbasedir-bypass.patch | 12 ++
files/limit-maxfileuploads-to-prevent-multipart-dos.patch | 69 ++++++++++++++
pspec.xml | 19 +++
5 files changed, 114 insertions(+), 1 deletion(-)
Modified: 2009/stable/programming/language/php/php/actions.py
=================================================================
--- 2009/stable/programming/language/php/php/actions.py (original)
+++ 2009/stable/programming/language/php/php/actions.py Sun Nov 22 03:06:02 2009
@@ -26,7 +26,7 @@
shelltools.export("CFLAGS","%s -fwrapv" % get.CFLAGS())
shelltools.export("NO_INTERACTION", "1")
- pisitools.dosed("configure.in", "PHP_UNAME=.*", 'PHP_UNAME="Pardus Linux 2008"')
+ pisitools.dosed("configure.in", "PHP_UNAME=.*", 'PHP_UNAME="Pardus Linux 2009"')
pisitools.dosed("ext/pgsql/config.m4", "include/postgresql", " include/postgresql/pgsql")
Modified: 2009/stable/programming/language/php/php/pspec.xml
=================================================================
--- 2009/stable/programming/language/php/php/pspec.xml (original)
+++ 2009/stable/programming/language/php/php/pspec.xml Sun Nov 22 03:06:02 2009
@@ -32,6 +32,12 @@
<Patch compressionType="bz2" level="1">suhosin-patch-5.2.11-0.9.7.patch.bz2</Patch>
<Patch>system-timezone.patch</Patch>
<Patch>CVE-2009-3546.patch</Patch>
+ <!-- It's possible to cause DOS with requests containing 160.000+ file uploads, limit it. No CVE-ID yet.. (#11580) -->
+ <Patch level="1">limit-maxfileuploads-to-prevent-multipart-dos.patch</Patch>
+ <!-- http://securityreason.com/securityalert/6601 -->
+ <Patch>CVE-2009-3557-tempnam-safemode-bypass.patch</Patch>
+ <!-- http://securityreason.com/securityalert/6600 -->
+ <Patch>CVE-2009-3558-posix_mkfifo-openbasedir-bypass.patch</Patch>
</Patches>
</Source>
@@ -100,6 +106,19 @@
</Package>
<History>
+ <Update release="74" type="security">
+ <Date>2009-11-22</Date>
+ <Version>5.2.11</Version>
+ <Comment>
+ Fix 3 important security vulnerabilities:
+
+ - It's possible to cause DOS with requests containing 160.000+ file uploads, limit max_uploads to 20. (#11580)
+ - Safe_mode bypass in tempnam() (CVE-2009-3557)
+ - Open_basedir bypass in posix_mkfifo() (CVE-2009-2558)
+ </Comment>
+ <Name>Eren Türkay</Name>
+ <Email>eren at pardus.org.tr</Email>
+ </Update>
<Update release="73" type="security">
<Date>2009-10-21</Date>
<Version>5.2.11</Version>
More information about the paketler-commits
mailing list