Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 97655

Summary: dev-php/php pear client is affected by XML_RPC PHP flaw (CAN-2005-1921)
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: major CC: php-bugs
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B1 [glsa]
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2005-07-01 13:42:34 UTC
The pear command makes use of affected XML-RPC library.

php-4.4.0_rc2 is in the tree, but it's probably better to have a patched version of the current stable, which can be stableized faster.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-07-01 13:43:28 UTC
Rating B2 as it requires the unusual setup of having malicious PEAR servers to
connect to...
Comment 2 Sebastian Bergmann (RETIRED) gentoo-dev 2005-07-01 22:45:32 UTC
Maybe just adding


to the dev-php/php, dev-php/php-cgi, and dev-php/mod_php ebuilds does the trick.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-07-08 01:51:40 UTC
php herd: your call... we are a little late already :)
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-07-11 06:15:36 UTC
PHP herd waits for php 4.4.0 final.
Comment 5 Sebastian Bergmann (RETIRED) gentoo-dev 2005-07-11 07:49:43 UTC
PHP 4.4.0 (final) is in the tree.
Comment 6 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-11 18:19:14 UTC
Arches please test and mark 4.4.0 stable, thank you.
Comment 7 Jason Wever (RETIRED) gentoo-dev 2005-07-11 18:30:14 UTC
mod_php-4.4.0 has a dependency on >=net-www/apache-2.0.54-r10.  do we really
want this right now (as I belive this is one of the apache builds with the new
Comment 8 Sebastian Bergmann (RETIRED) gentoo-dev 2005-07-12 00:02:37 UTC
I am working on a new ebuild for mod_php-4.4.0 that is based on the current
mod_php-4.3.11 ebuild.

The current mod_php-4.4.0 ebuild will become mod_php-4.4.0-r1 and use the new
Apache layout.
Comment 9 Sebastian Bergmann (RETIRED) gentoo-dev 2005-07-12 02:15:07 UTC
Stable on x86.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-12 08:54:51 UTC
sparc stable.
Comment 11 Markus Rothe (RETIRED) gentoo-dev 2005-07-12 10:17:39 UTC
stable on ppc64
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2005-07-12 12:27:00 UTC
ppc stable
Comment 13 Stuart Herbert (RETIRED) gentoo-dev 2005-07-13 09:13:17 UTC
ppc64: please stabilise php-cgi-4.4.0 as part of this bug.

General note: dev-php/php, dev-php/php-cgi and dev-php/mod_php packages always 
need stabilising at the same time.

Best regards,
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2005-07-13 11:41:43 UTC
Stable on alpha + ia64.
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2005-07-13 12:55:34 UTC
stuart: we (ppc64) have never had an ebuild keyworded for the 4.x release
series. If you *realy want* this package stable on ppc64, I'm going to test it. :-)
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-07-14 03:38:35 UTC
php-cgi was never keyworded ppc64 so I guess it could stay that way.
That said, we are still missing a few keywords :

amd64: on php, mod_php and php-cgi 4.4.0
hppa: on php-cgi 4.4.0
Comment 17 Luis Medinas (RETIRED) gentoo-dev 2005-07-14 07:14:42 UTC
dev-php/php-4.4.0 dev-php/php-cgi-4.4.0 dev-php/mod_php-4.4.0-r1 tested in
amd64. Works fine.
Comment 18 Simon Stelling (RETIRED) gentoo-dev 2005-07-14 08:45:29 UTC
thanks, amd64 finally stable
Comment 19 René Nussbaumer (RETIRED) gentoo-dev 2005-07-14 11:24:38 UTC
Thanks. Stable on hppa.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-07-15 01:37:31 UTC
amd64 still misses php-cgi AFAICT...
Comment 21 Simon Stelling (RETIRED) gentoo-dev 2005-07-15 05:48:42 UTC
sorry, forgot about php-cgi... amd64 finally done.
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-07-15 07:59:16 UTC
GLSA 200507-15
mips, s390 should mark stable to benefit from GLSA
Comment 23 Hardave Riar (RETIRED) gentoo-dev 2005-07-23 22:31:21 UTC
Stable on mips.