View Issue Details

IDProjectCategoryView StatusLast Update
0000203Main CAcert Websitemiscpublic2013-11-20 22:23
ReporterbluecAssigned Toduane  
Status closedResolutionfixed 
Fixed in Version2006 
Summary0000203: old versions
DescriptionUsing nmap I found that CAcert currently running Apache httpd 1.3.33 ((Debian GNU/Linux) mod_gzip/ PHP/4.3.9-1 mod_ssl/2.8.22 OpenSSL/0.9.7d).

Release of Debian PHP/4.3.9-1 was on 4 Oct 2004 and there have been _a lot_ urgent security updates since. Current version of php4 in Debian stable is 4.3.10-16. See

I don't know about any possible exploit but I'm sure there are some. For example let php crash using[][

Same applies to apache, mod_ssl, OpenSSL, etc. For example:

  libapache-mod-ssl (2.8.22-1sarge1) stable-security; urgency=high

"ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions."

And I didn't talk about Postfix, bind, ...
TagsNo tags attached.
Reviewed by
Test Instructions



2006-04-21 06:14

developer   ~0000160

All packages from debian stable and debian security repositories are up to date.

Debian policy prefers backporting security patches rather then updating versions in stable repositories...


2006-04-21 20:09

manager   ~0000184

The version number reported by the webserver is a Debian version number: CAcert is using "PHP/4.3.9-1", but the current Debian stable is "PHP/4.3.10-16". As -1 or -16 is not a PHP version (as far as I know) I still believe that there is something wrong.

Maybe you're using a source mirror that isn't updated anymore? Could you please copy /etc/apt/source.list and tell me the version of apache and php as it is reported by the packetmanager?


2006-04-21 20:54

developer   ~0000187

security fixes are released through the security repository...


2006-05-04 22:53

manager   ~0000216

I was talking to the Debian guys on LinuxTag today. They were telling me that the CAcert version of PHP is defentily NOT current.

Possible reason for this bug:

CAcert is using oldstable aka woody. There is no PHP version 4.3.9 in woody (irrc the maxium is 4.1.something. The current version has been installed manually using a deb-package from a different source.

The current woody versions with security patches applied is lower than 4.3.9 so they will never get installed.

This may be the case for other packages aswell. Duanes, you or someone else should check with every installed program that it is really a current and secure version!


2006-05-08 01:53

administrator   ~0000219

Reminder sent to: duane

Please don´t forget this bug!


2006-05-08 02:14

administrator   ~0000220

Bluec: Can you provide a tool or step-by-step guideline how to check all packages, whether they are current?


2006-05-08 02:15

administrator   ~0000221

Duane: Didn´t you compile the PHP version yourself?


2006-05-09 17:55

manager   ~0000223


  Severity: High
     Title: PHP: Multiple vulnerabilities
      Date: May 08, 2006
 Gentoo-ID: 200605-08


Several vulnerabilities were discovered on PHP4 and PHP5 by Infigo,
Tonu Samuel and Maksymilian Arciemowicz. These included a buffer
overflow in the wordwrap() function, restriction bypasses in the copy()
and tempname() functions, a cross-site scripting issue in the phpinfo()
function, a potential crash in the substr_compare() function and a
memory leak in the non-binary-safe html_entity_decode() function.


Remote attackers might be able to exploit these issues in PHP
applications making use of the affected functions, potentially
resulting in the execution of arbitrary code, Denial of Service,
execution of scripted contents in the context of the affected site,
security bypass or information leak.


2006-05-16 23:54

manager   ~0000229

It seems to me as if someone updated PHP. I guess it's OK to close this bug now.

> Can you provide a tool or step-by-step guideline
> how to check all packages, whether they are current?

Well, this should normally be done by the package manager and/or security update system. First step would be to identify all manually installed/updated/modified packages. Then you find out which version is installed and check the internet for updates. There is nothing else you could do (port scanning the server as I did it initially is only helpful for major issues and may overlook something).

Issue History

Date Modified Username Field Change
2006-04-12 23:57 bluec New Issue
2006-04-21 06:14 duane Status new => closed
2006-04-21 06:14 duane Note Added: 0000160
2006-04-21 06:14 duane Resolution open => won't fix
2006-04-21 20:09 bluec Note Added: 0000184
2006-04-21 20:10 bluec Status closed => needs feedback
2006-04-21 20:10 bluec Resolution won't fix => reopened
2006-04-21 20:54 duane Status needs feedback => closed
2006-04-21 20:54 duane Note Added: 0000187
2006-04-21 20:54 duane Resolution reopened => not fixable
2006-04-24 05:13 bluec Assigned To => bluec
2006-04-24 05:13 bluec Status closed => needs work
2006-05-04 22:53 bluec Note Added: 0000216
2006-05-04 22:53 bluec Assigned To bluec => duane
2006-05-04 22:53 bluec Resolution not fixable => open
2006-05-08 01:53 Sourcerer Note Added: 0000219
2006-05-08 02:14 Sourcerer Note Added: 0000220
2006-05-08 02:15 Sourcerer Note Added: 0000221
2006-05-09 17:55 bluec Note Added: 0000223
2006-05-16 23:54 bluec Note Added: 0000229
2006-05-16 23:54 bluec Status needs work => closed
2006-05-16 23:54 bluec Resolution open => fixed
2013-01-14 03:33 Werner Dworak Fixed in Version => 2006
2013-11-20 22:23 NEOatNHNG View Status private => public