As per my comments in bug 133524, please update GLSA 200605-08 with slotted wrappers: --- old/glsa-200605-08.xml 2006-07-30 15:37:02.000000000 -0400 +++ glsa-200605-08.xml 2006-08-25 16:11:43.000000000 -0400 @@ -20,13 +20,17 @@ <affected> <package name="dev-lang/php" auto="yes" arch="arm hppa ppc s390 sh sparc x86 x86-fbsd"> <unaffected range="ge">5.1.4</unaffected> - <unaffected range="rge">4.4.2-r2</unaffected> <vulnerable range="lt">5.1.4</vulnerable> + <vulnerable range="ge">5.0</vulnerable> + <unaffected range="ge">4.4.2-r2</unaffected> + <vulnerable range="lt">4.4.2-r2</vulnerable> </package> <package name="dev-lang/php" auto="yes" arch="alpha amd64 ia64 ppc64"> <unaffected range="ge">5.1.4-r4</unaffected> - <unaffected range="rge">4.4.2-r6</unaffected> <vulnerable range="lt">5.1.4-r4</vulnerable> + <vulnerable range="ge">5.0</vulnerable> + <unaffected range="ge">4.4.2-r6</unaffected> + <vulnerable range="lt">4.4.2-r6</vulnerable> </package> </affected> <background>
php team, is is php-4.4.3-r1 patched wrt this, or is it vulnerable? thanks
Should be fixed in cvs, thank you
Fixed for x86, but could you add the unaffected section to alpha/amd64/ia64/ppc64?
Thx for the notification. It's fixed in CVS now.
*** Bug 146231 has been marked as a duplicate of this bug. ***
Reopening still glsa-check still marks 4.4.3-r1 as vulnerable, at least on amd64. Perhaps glsa-check is not happy with the "more complex than usual" arch section?
I can test and provide info if needed.
(In reply to comment #7) > I can test and provide info if needed. > it's our fault. If we merge : <package name="dev-lang/php" auto="yes" arch="arm hppa ppc s390 sh sparc x86 x86-fbsd"> <unaffected range="ge">FOO</unaffected> </package> <package name="dev-lang/php" auto="yes" arch="alpha amd64 ia64 ppc64"> <unaffected range="rge">FOO</unaffected> </package> in one single entry : <package name="dev-lang/php" auto="yes" arch="*"> <unaffected range="rge">4.4.3-r1</unaffected> </package> whereas there are still arches entry elsewhere, glsa-check seems not happy. I've just corrected this in CVS. Please reopen if glsa-check still complains.
Reopening, due to php-4.4.6 getting flagged now (at least on amd64) I'm assuming that this bug doesn't affect 4.4.6 ... Also GLSA's 200608-28 and 200610-14 i believe are affected by this. Remind me again why slotting the affected/unaffected ranges wouldn't be better than using 'rge's?
i *hope* that i fixed them all (correctly), thanks for reporting this. note to self: push slotted GLSAs
php-4.4.7 is flagged now ... with four glsa: 200605-08 [N] PHP: Multiple vulnerabilities ( dev-lang/php ) 200608-28 [N] PHP: Arbitary code execution ( dev-lang/php ) 200610-14 [N] PHP: Integer overflow ( dev-lang/php ) 200703-21 [N] PHP: Multiple vulnerabilities ( dev-lang/php ) [I--] [ ] dev-lang/php-4.4.7 (4) [I--] [ ] dev-lang/php-5.2.2-r1 (5) Portage 2.1.2.2 (default-linux/x86/2007.0/desktop, gcc-3.3.6, glibc-2.3.6-r4, 2.6.14-gentoo-r2 i686) ... why can't I reopen this bug ?
Sigh...
Thanks for notifying us. Fixed in CVS. Now I just wish for better range support in glsa-check.