Univention Bugzilla – Bug 48590
php-pear: Multiple issues (4.3)
Last modified: 2019-02-06 12:35:49 CET
New Debian php-pear 1:1.10.1+submodules+notgz-9+deb9u1 fixes: This update addresses the following issue: * Unsafe deserialization of data in Archive_Tar class (CVE-2018-1000888)
--- mirror/ftp/4.3/unmaintained/4.3-0/source/php-pear_1.10.1+submodules+notgz-9.dsc +++ apt/ucs_4.3-0-errata4.3-3/source/php-pear_1.10.1+submodules+notgz-9+deb9u1.dsc @@ -1,3 +1,9 @@ +1:1.10.1+submodules+notgz-9+deb9u1 [Tue, 22 Jan 2019 23:09:37 +0100] Salvatore Bonaccorso <carnil@debian.org>: + + * Non-maintainer upload by the Security Team. + * Don't allow filenames to start with phar:// (CVE-2018-1000888) + (Closes: #919147) + 1:1.10.1+submodules+notgz-9 [Wed, 25 Jan 2017 07:48:36 +0100] Mathieu Parent <sathieu@debian.org>: * Fix Vcs-* fields (was pointing to pkg-php-tools) <http://10.200.17.11/4.3-3/#6937923847946286132>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-3] 63b1b25b1d Bug #48590: php-pear 1:1.10.1+submodules+notgz-9+deb9u1 doc/errata/staging/php-pear.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+)
<http://errata.software-univention.de/ucs/4.3/416.html>