Gentoo Bug 125878 - dev-lang/php: ext/session HTTP Response Splitting and XSS through errors

Description:

Opened: 2006-03-11 14:49 0000

Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote
attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header,
related to the (1) session extension (aka ext/session) and the (2) header
function.  PHP 5.1.2 fixes this vulnerability.
--akraut

CVE-2006-0207

------- Comment #1 From Luca Longinotti 2006-03-11 17:27:10 0000 -------

The same issue can be found in dev-lang/php-4.4.1-r3, PHP 4.4.2 fixes this (see
http://www.php.net/release_4_4_2.php for details), the other "big issues"
mentioned in the release announcement were already fixed by 4.4.1-r3, the
security issues will be fixed by adding dev-lang/php-4.4.2 to the tree
today/tomorrow (depends on your timezone :P), will update the bug once it's
done.
Best regards, CHTEKK.

------- Comment #2 From Thierry Carrez (RETIRED) 2006-03-12 03:35:38 0000 -------

Grouping bugs as the same release(s) also fix :

Multiple cross-site scripting (XSS) vulnerabilities in PHP 5.1.1, when
display_errors and html_errors are on, allow remote attackers to inject
arbitrary web script or HTML via inputs to PHP applications that are not
filtered when they are included in the resulting error message.
Note: Gentoo's default config file for PHP has display_errors=on and
html_errors=off making a default-configured system not vulnerable.

CVE-2006-0208
Affected versions are 5.x < 5.1.2 and 4.x < 4.2.2

------- Comment #3 From Thierry Carrez (RETIRED) 2006-03-12 03:36:18 0000 -------

*** Bug 125880 has been marked as a duplicate of this bug. ***

------- Comment #4 From Luca Longinotti 2006-03-12 05:30:42 0000 -------

dev-lang/php-4.4.2 and dev-lang/php-5.1.2 were just added to CVS, both are
ready for arches to stable them, enjoy! ;)
Best regards, CHTEKK.

------- Comment #5 From Stefan Cornelius (RETIRED) 2006-03-12 06:46:55 0000 -------

arches, please test and stable - thank you!

------- Comment #6 From Simon Stelling (RETIRED) 2006-03-12 09:02:20 0000 -------

amd64 both stable

------- Comment #7 From Fernando J. Pereda (RETIRED) 2006-03-12 09:07:50 0000 -------

Both alpha'lized.

------- Comment #8 From Jason Wever (RETIRED) 2006-03-12 10:20:39 0000 -------

SPARC'd

------- Comment #9 From Tobias Scherbaum 2006-03-12 12:47:45 0000 -------

ppc stable

------- Comment #10 From Markus Rothe 2006-03-12 13:38:20 0000 -------

both stable on ppc64

------- Comment #11 From René Nussbaumer 2006-03-13 13:15:37 0000 -------

Stable on hppa

------- Comment #12 From Joshua Jackson 2006-03-13 22:06:30 0000 -------

x86 done \(^.^)/

------- Comment #13 From Stefan Cornelius (RETIRED) 2006-03-14 06:20:18 0000 -------

ready for glsa vote, i tend to say yes

------- Comment #14 From Thierry Carrez (RETIRED) 2006-03-14 13:27:55 0000 -------

Yes here too.

------- Comment #15 From Thierry Carrez (RETIRED) 2006-03-14 13:28:40 0000 -------

Ready for GLSA

------- Comment #16 From Matthias Geerdsen 2006-03-22 14:22:43 0000 -------

the GLSA will contain the following:

Unaffected packages:    dev-lang/php >= 5.1.2 on all architectures

Vulnerable packages:    
dev-lang/php < 4.4.2 on all architectures
dev-lang/php *>= 5.1.1 on all architectures
dev-lang/php *>= 5.0.5 on all architectures
dev-lang/php *>= 5.0.4 on all architectures

This is to ensure that future versions of php 4 will not be listed as affected.
A side effect is, that new revisions of 5.1.1, 5.0.5, 5.0.4 will appear
affected in case they will ever exist, which appears unlikely

------- Comment #17 From Sune Kloppenborg Jeppesen 2006-03-22 15:10:54 0000 -------

GLSA 200603-22

arm, ia64, s390 don't forget to mark stable to benifit from the GLSA.

Bug 125878 depends on:			Show dependency tree
Bug 125878 blocks:			Show dependency tree

Bugzilla Bug 125878

dev-lang/php: ext/session HTTP Response Splitting and XSS through errors

Last modified: 2006-11-11 19:59:41 0000