Univention Bugzilla – Bug 48365
php5: Multiple issues (4.2)
Last modified: 2018-12-19 14:15:10 CET
New Debian php5 5.6.39+dfsg-0+deb8u1 fixes: This update addresses the following issues: * imap_open() allows running arbitrary shell commands via mailbox parameter (CVE-2018-19518) * ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty string in the message argument to the imap_mail function. (CVE-2018-19935)
--- mirror/ftp/4.2/unmaintained/component/4.2-5-errata/source/php5_5.6.38+dfsg-0+deb8u1.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/php5_5.6.39+dfsg-0+deb8u1.dsc @@ -1,3 +1,14 @@ +5.6.39+dfsg-0+deb8u1 [Sun, 16 Dec 2018 16:28:06 -0500] Roberto C. Sanchez <roberto@debian.org>: + + * Non-maintainer upload by the LTS Team. + * New upstream version 5.6.39 + - [CVE-2018-19518] An argument injection vulnerability in imap_open() + may allow a remote attacker to execute arbitrary OS commands on the IMAP + server. + - [CVE-2018-19935] A NULL pointer dereference leads to an application + crash and a denial of service via an empty string in the message + argument to the imap_mail function of ext/imap/php_imap.c. + 5.6.38+dfsg-0+deb8u1 [Wed, 19 Sep 2018 22:05:16 -0400] Roberto C. Sanchez <roberto@debian.org>: * Non-maintainer upload by the LTS Team. <http://10.200.17.11/4.2-5/#1141819270630398691>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts some files are not purged and some from Apache2 are. > 0m36.4s INFO: Warning: Package purging left files on system: > /etc/apache2/mods-enabled/mpm_prefork.conf -> ../mods-available/mpm_prefork.conf not owned > /etc/apache2/mods-enabled/mpm_prefork.load -> ../mods-available/mpm_prefork.load not owned > /var/lib/apache2/module/disabled_by_admin/ not owned > /var/lib/apache2/module/disabled_by_maint/ not owned > /var/lib/apache2/module/disabled_by_maint/mpm_event not owned > /var/lib/apache2/module/enabled_by_maint/mpm_prefork not owned > /var/lib/php5/modules/apache2filter/ not owned > /var/lib/php5/modules/apache2filter/disabled_by_maint/ not owned > /var/lib/php5/modules/apache2filter/disabled_by_maint/json not owned > /var/lib/php5/modules/apache2filter/disabled_by_maint/opcache not owned > /var/lib/php5/modules/apache2filter/disabled_by_maint/pdo not owned > /var/lib/php5/modules/apache2filter/enabled_by_maint/ not owned > > 0m36.4s ERROR: FAIL: After purging files have disappeared: > /etc/apache2/mods-enabled/mpm_event.conf -> ../mods-available/mpm_event.conf not owned > /etc/apache2/mods-enabled/mpm_event.load -> ../mods-available/mpm_event.load not owned > /var/lib/apache2/module/enabled_by_maint/mpm_event not owned [4.2-5] b0090896c5 Bug #48365: php5 5.6.39+dfsg-0+deb8u1 doc/errata/staging/php5.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) [4.2-5] 13517e6692 Bug #48365: php5 5.6.39+dfsg-0+deb8u1 doc/errata/staging/php5.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<http://errata.software-univention.de/ucs/4.2/567.html>