|Summary:||dev-php/php pear client is affected by XML_RPC PHP flaw (CAN-2005-1921)|
|Product:||Gentoo Security||Reporter:||Thierry Carrez (RETIRED) <koon>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Thierry Carrez (RETIRED) 2005-07-01 13:42:34 UTC
The pear command makes use of affected XML-RPC library. php-4.4.0_rc2 is in the tree, but it's probably better to have a patched version of the current stable, which can be stableized faster.
Comment 1 Thierry Carrez (RETIRED) 2005-07-01 13:43:28 UTC
Rating B2 as it requires the unusual setup of having malicious PEAR servers to connect to...
Comment 2 Sebastian Bergmann (RETIRED) 2005-07-01 22:45:32 UTC
Maybe just adding RDEPEND=">=dev-php/PEAR-XML_RPC-1.3.1" to the dev-php/php, dev-php/php-cgi, and dev-php/mod_php ebuilds does the trick.
Comment 3 Thierry Carrez (RETIRED) 2005-07-08 01:51:40 UTC
php herd: your call... we are a little late already :)
Comment 4 Thierry Carrez (RETIRED) 2005-07-11 06:15:36 UTC
PHP herd waits for php 4.4.0 final.
Comment 5 Sebastian Bergmann (RETIRED) 2005-07-11 07:49:43 UTC
PHP 4.4.0 (final) is in the tree.
Comment 6 Stefan Cornelius (RETIRED) 2005-07-11 18:19:14 UTC
Arches please test and mark 4.4.0 stable, thank you.
Comment 7 Jason Wever (RETIRED) 2005-07-11 18:30:14 UTC
mod_php-4.4.0 has a dependency on >=net-www/apache-2.0.54-r10. do we really want this right now (as I belive this is one of the apache builds with the new config)?
Comment 8 Sebastian Bergmann (RETIRED) 2005-07-12 00:02:37 UTC
I am working on a new ebuild for mod_php-4.4.0 that is based on the current mod_php-4.3.11 ebuild. The current mod_php-4.4.0 ebuild will become mod_php-4.4.0-r1 and use the new Apache layout.
Comment 9 Sebastian Bergmann (RETIRED) 2005-07-12 02:15:07 UTC
Stable on x86.
Comment 10 Gustavo Zacarias (RETIRED) 2005-07-12 08:54:51 UTC
Comment 11 Markus Rothe (RETIRED) 2005-07-12 10:17:39 UTC
stable on ppc64
Comment 12 Tobias Scherbaum (RETIRED) 2005-07-12 12:27:00 UTC
Comment 13 Stuart Herbert (RETIRED) 2005-07-13 09:13:17 UTC
ppc64: please stabilise php-cgi-4.4.0 as part of this bug. General note: dev-php/php, dev-php/php-cgi and dev-php/mod_php packages always need stabilising at the same time. Best regards, Stu
Comment 14 Bryan Østergaard (RETIRED) 2005-07-13 11:41:43 UTC
Stable on alpha + ia64.
Comment 15 Markus Rothe (RETIRED) 2005-07-13 12:55:34 UTC
stuart: we (ppc64) have never had an ebuild keyworded for the 4.x release series. If you *realy want* this package stable on ppc64, I'm going to test it. :-)
Comment 16 Thierry Carrez (RETIRED) 2005-07-14 03:38:35 UTC
php-cgi was never keyworded ppc64 so I guess it could stay that way. That said, we are still missing a few keywords : amd64: on php, mod_php and php-cgi 4.4.0 hppa: on php-cgi 4.4.0
Comment 17 Luis Medinas (RETIRED) 2005-07-14 07:14:42 UTC
dev-php/php-4.4.0 dev-php/php-cgi-4.4.0 dev-php/mod_php-4.4.0-r1 tested in amd64. Works fine.
Comment 18 Simon Stelling (RETIRED) 2005-07-14 08:45:29 UTC
thanks, amd64 finally stable
Comment 19 René Nussbaumer (RETIRED) 2005-07-14 11:24:38 UTC
Thanks. Stable on hppa.
Comment 20 Thierry Carrez (RETIRED) 2005-07-15 01:37:31 UTC
amd64 still misses php-cgi AFAICT...
Comment 21 Simon Stelling (RETIRED) 2005-07-15 05:48:42 UTC
sorry, forgot about php-cgi... amd64 finally done.
Comment 22 Thierry Carrez (RETIRED) 2005-07-15 07:59:16 UTC
GLSA 200507-15 mips, s390 should mark stable to benefit from GLSA
Comment 23 Hardave Riar (RETIRED) 2005-07-23 22:31:21 UTC
Stable on mips.