Summary: | <dev-lang/php-{5.6.38,7.0.32,7.1.22,7.2.10}: Cross-site scripting (XSS) flaw in Apache2 component via body of 'Transfer-Encoding: chunked' request (CVE-2018-17082) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Brian Evans (RETIRED) <grknight> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | hydrapolic, leho, php-bugs |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.php.net/bug.php?id=76582 | ||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-lang/php-5.6.38
dev-lang/php-7.0.32
dev-lang/php-7.1.22
dev-lang/php-7.2.10
dev-libs/libzip-1.3.0 arm
|
Runtime testing required: | --- |
Description
Brian Evans (RETIRED)
2018-09-15 03:45:34 UTC
An automated check of this bug failed - repoman reported dependency errors (500 lines truncated):
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
*** Bug 666264 has been marked as a duplicate of this bug. *** arm64 does not have any stable PHP; please look who you CC :) amd64 stable An automated check of this bug failed - repoman reported dependency errors (404 lines truncated):
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: RDEPEND: arm(default/linux/arm/13.0) ['>=dev-libs/libzip-1.2.0:=']
> dependency.bad dev-lang/php/php-7.2.10.ebuild: DEPEND: arm(default/linux/arm/17.0) ['>=dev-libs/libzip-1.2.0:=']
An automated check of this bug succeeded - the previous repoman errors are now resolved. I think `virtual/httpd-php-7.2` needs to also be bumped stable with this? sparc done. Agree with comment #7 If we are using this bug to stabilize PHP-7.2, we should also remove "php_targets_php7-2" from profiles/base/use.stable.mask (In reply to Brandon Holbrook from comment #9) > Agree with comment #7 > > If we are using this bug to stabilize PHP-7.2, we should also remove > "php_targets_php7-2" from profiles/base/use.stable.mask This will be done at the appropriate time. It's a bunch of extra work do that part one arch at a time instead of everyone together. ppc/ppc64 stable ia64 stable hppa has no stable php keywords x86 stable arm stable Stable on alpha. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9b41d63fc172ef8fa87fb99b6a283926f82cf80 commit c9b41d63fc172ef8fa87fb99b6a283926f82cf80 Author: Brian Evans <grknight@gentoo.org> AuthorDate: 2018-10-11 14:38:47 +0000 Commit: Brian Evans <grknight@gentoo.org> CommitDate: 2018-10-11 14:41:39 +0000 dev-lang/php: Drop security vulnerable versions Bug: https://bugs.gentoo.org/666256 Bug: https://bugs.gentoo.org/668000 Signed-off-by: Brian Evans <grknight@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 dev-lang/php/Manifest | 3 - dev-lang/php/php-5.6.36.ebuild | 777 ----------------------------------------- dev-lang/php/php-7.0.30.ebuild | 751 --------------------------------------- dev-lang/php/php-7.1.18.ebuild | 731 -------------------------------------- 4 files changed, 2262 deletions(-) This issue was resolved and addressed in GLSA 201812-01 at https://security.gentoo.org/glsa/201812-01 by GLSA coordinator Aaron Bauman (b-man). |