GNU bug report logs

#27808 PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Full log

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Received: (at submit) by debbugs.gnu.org; 24 Jul 2017 18:57:59 +0000
From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 24 14:57:59 2017
Received: from localhost ([127.0.0.1]:54668 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1dZiYJ-0006x3-6j
	for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:59 -0400
Received: from eggs.gnu.org ([208.118.235.92]:36732)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1dZiYH-0006wq-VO
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:58 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiYB-000594-T1
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:52 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,SUBJ_ALL_CAPS,
 T_DKIM_INVALID autolearn=disabled version=3.3.2
Received: from lists.gnu.org ([2001:4830:134:3::11]:50969)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1dZiYB-00058y-PC
 for submit@debbugs.gnu.org; Mon, 24 Jul 2017 14:57:51 -0400
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55935)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiYA-0008J8-Kx
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:51 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <leo@famulari.name>) id 1dZiY6-00057w-Of
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:50 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:40127)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <leo@famulari.name>) id 1dZiY6-00057J-2B
 for bug-guix@gnu.org; Mon, 24 Jul 2017 14:57:46 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 41F8E2243C;
 Mon, 24 Jul 2017 14:57:45 -0400 (EDT)
Received: from frontend1 ([10.202.2.160])
 by compute4.internal (MEProxy); Mon, 24 Jul 2017 14:57:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=content-type:date:from:message-id:mime-version:subject:to
 :x-me-sender:x-me-sender:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=YQD
 J6b5F46EUiMPVgnbz3SzVsYApe76Ar+ScZPT+exs=; b=Km+CdiFXncl5PlhxysK
 Nc7LbQqKD1gksNlpk2EntqWGaHx8NrEmAldZul4j/PsTmQuOn0VaR8I/uQUOqGkt
 fCH38X3z9v3bwiuA8vEp9MMjvLRYSiKR36iSCM3qDDpfTJtqJ/iFr+6R/uK+t71F
 8h4OAhsLEEkzKaDZs5FH/I24=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-sender:x-me-sender:x-sasl-enc
 :x-sasl-enc; s=fm1; bh=YQDJ6b5F46EUiMPVgnbz3SzVsYApe76Ar+ScZPT+e
 xs=; b=UdajGBe5I2Getbc+DQKRW99epEW+/nb022GMQkMg9RsSonx7J239etq2u
 MPoQ4nKw+30RFL+y9i6+6zVtyn/JoQ7xDfS0V/Z6Woa/Y1CxQmpZ4OokWIDYupFN
 DUFJKVO9vOKuQNK1TePly2FGBlvMA5Q+SxHfMobJNGjY9gSuFyqEdKXxX/vUbk6u
 TN+B3H43IFc9BEqWVc2NNjXwQKkjvLuUAQDShBcSsLJoZka1O8YJyYEAK0OXmDV8
 OQFyS6Ld6t0RBbEmt9zEtMx5zkMxrpSHcdgz7xg/FgM/+/iQxpR4mbrwwc5Z/lQy
 Lfp6eNx2XedbZbm5kE7MzOrV/MwxA==
X-ME-Sender: <xms:KUN2WdwkhVhQ8l34BzxUyrWsYow3zhHnieElBJE0hYmGQZa3EoWO9Q>
X-Sasl-enc: l39okwTZHiGjh0UHSZDFrfBrKGsALzMy993YLqJ5nwdZ 1500922665
Received: from localhost (c-73-165-108-70.hsd1.pa.comcast.net [73.165.108.70])
 by mail.messagingengine.com (Postfix) with ESMTPA id 03CB27E2DE
 for <bug-guix@gnu.org>; Mon, 24 Jul 2017 14:57:44 -0400 (EDT)
Date: Mon, 24 Jul 2017 14:57:44 -0400
From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: PHP CVE-2017-11144, CVE-2017-11145, CVE-2017-11362
Message-ID: <20170724185744.GA4997@jasmine.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf"
Content-Disposition: inline
User-Agent: Mutt/1.8.3 (2017-05-23)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
 [fuzzy]
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Received-From: 2001:4830:134:3::11
X-Spam-Score: -5.2 (-----)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -5.2 (-----)

[Message part 1 (text/plain, inline)]
Apparently our PHP package is vulnerable to CVE-2017-11144,
CVE-2017-11145, and CVE-2017-11362:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11144
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11145

This one looks especially bad:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11362

Can someone please take a look at this?

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 12:01:17 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.