1
PublicDateAtUSN: 2008-12-17
2
Candidate: CVE-2008-5624
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5624
6
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=508021
7
http://www.php.net/ChangeLog-5.php#5.2.7
8
https://usn.ubuntu.com/usn/usn-720-1
10
PHP 5 before 5.2.7 does not properly initialize the page_uid and page_gid
11
global variables for use by the SAPI php_getuid function, which allows
12
context-dependent attackers to bypass safe_mode restrictions via variable
13
settings that are intended to be restricted to root, as demonstrated by a
14
setting of /etc for the error_log variable.
17
mdeslaur> the second upstream patch is for apache 1.x sapi
18
mdeslaur> apache 1.x is still in Dapper, so we better include it
25
vendor: http://patch-tracking.debian.net/patch/series/view/php5/5.2.6.dfsg.1-2/BG-initializing-fix.patch
26
upstream: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/basic_functions.c?r1=1.725.2.31.2.78&r2=1.725.2.31.2.79&diff_format=u
27
upstream: http://cvs.php.net/viewvc.cgi/php-src/sapi/apache/mod_php5.c?r1=1.19.2.7.2.15&r2=1.19.2.7.2.16&diff_format=u
28
upstream_php5: released (5.2.6.dfsg.1-1)
29
dapper_php5: released (5.1.2-1ubuntu3.13)
30
gutsy_php5: released (5.2.3-1ubuntu6.5)
31
hardy_php5: released (5.2.4-2ubuntu5.5)
32
intrepid_php5: released (5.2.6-2ubuntu4.1)
33
jaunty_php5: not-affected (5.2.6.dfsg.1-3ubuntu2)
34
karmic_php5: not-affected (5.2.6.dfsg.1-3ubuntu2)
35
devel_php5: not-affected (5.2.6.dfsg.1-3ubuntu2)
38
upstream_php4: needs-triage
39
dapper_php4: ignored (reached end-of-life)