Bug 64657 (CVE-2004-0959)

Summary: VUL-0: CVE-2004-0959: php4 updates missing?
Product: [Novell Products] SUSE Security Incidents Reporter: Christoph Thiel <cthiel>
Component: IncidentsAssignee: Andreas Jaeger <aj>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: forgotten_N1m2whZ-xl, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0959: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2004-0958:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Christoph Thiel 2005-01-08 05:43:54 UTC 
I just checked the new 9.2-ftp tree (on ftp.gwdg.de) and found out, that there
are new php4 rpms with sec fixes (see diff). Now I wonder, why there haven't
been any you updates yet ;)
 

cthiel@t41p:~> diff -ur php4-4.3.8-8.changelog php4-4.3.8-8.2.changelog 
--- php4-4.3.8-8.changelog      2005-01-07 22:35:53.890271768 +0100
+++ php4-4.3.8-8.2.changelog    2005-01-07 22:35:25.719554368 +0100
@@ -1,3 +1,7 @@
+* Do Dez 16 2004 - tcrhak@suse.cz
+
+- fixed several vulnerabilities (bug 63635, patch secfix1)
+
 * Di Okt 05 2004 - pmladek@suse.cz
 
 - added /usr/lib/php/sce_install to prerequires of php4-swf; it is in the
cthiel@t41p:~>
Comment 1 Christoph Thiel 2005-01-08 05:43:54 UTC 
<!-- SBZ_reproduce  -->
n/a
Comment 2 Marcus Meissner 2005-01-08 07:06:03 UTC 
because they do not have the full patch set required. 
becuase they have not passed our QA. 
because theyu are still work in progress. 
 
Andreas, how could this happen? I thought the ftp tree 
was mastered from the GA master?
Comment 3 Christoph Thiel 2005-01-08 07:08:36 UTC 
Well, check
http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/9.2/ChangeLog, it
doesn't really look like GA ;)
Comment 4 Christoph Thiel 2005-01-08 07:14:53 UTC 
Btw: RedHat already released php4 updates (I can't verify if they worked on the
same issues, you'r working on right now):

                   Red Hat Security Advisory

Synopsis:          Updated php packages fix security issues and bugs
Advisory ID:       RHSA-2004:687-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2004-687.html
Issue date:        2004-12-21
Updated on:        2004-12-21
Product:           Red Hat Enterprise Linux
Keywords:          PHP
Obsoletes:         RHBA-2004:272
CVE Names:         CAN-2004-0958 CAN-2004-0959 CAN-2004-1018 CAN-2004-1019
CAN-2004-1065
Comment 5 Marcus Meissner 2005-01-08 07:16:38 UTC 
yes, i know redhat did. 
 
but with 3 weeks christmas shutdown, and other product work we have not 
finished the php4 update yet. and now the next high critical kernel problem  
which has precedence. 
 
the php4 on ftp is at least somewhat safer as the previous one.
Comment 6 Christoph Thiel 2005-01-08 07:19:40 UTC 
Sure, I'm not blaming you...  now that we have "somewhat safer" php rpms to use
for updates, it's ok with me ;)
Comment 7 Forgotten User N1m2whZ-xl 2005-01-08 07:56:21 UTC 
But it ia a very critical point from the sight of the chiefs of gwdg,de,
regarding our SLES-8 installations (several 100).
This latency is bad for business. The relative SUSE latency, that is the point...
So please struggle on, it it against the enemy.
Comment 8 Andreas Jaeger 2005-01-08 17:37:32 UTC 
Marcus, let's sit together some time next week and discuss these issues. 
 
Christoph, Eberhard: The update will go out after all issues have been 
fixed and properly tested, there's no need to keep this bugreport open 
for tracking.
Comment 9 Thomas Biege 2009-10-13 20:10:08 UTC 
CVE-2004-0959: CVSS v2 Base Score: 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N)