View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000203 | Main CAcert Website | misc | public | 2006-04-12 23:57 | 2013-11-20 22:23 |
| Reporter | Assigned To | duane | |||
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2006 | ||||
| Summary | 0000203: old versions | ||||
| Description | Using nmap I found that CAcert currently running Apache httpd 1.3.33 ((Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.9-1 mod_ssl/2.8.22 OpenSSL/0.9.7d). Release of Debian PHP/4.3.9-1 was on 4 Oct 2004 and there have been _a lot_ urgent security updates since. Current version of php4 in Debian stable is 4.3.10-16. See http://packages.debian.org/changelogs/pool/main/p/php4/php4_4.3.10-16/changelog I don't know about any possible exploit but I'm sure there are some. For example let php crash using http://www.cacert.org/index.php?getvar[][ Same applies to apache, mod_ssl, OpenSSL, etc. For example: libapache-mod-ssl (2.8.22-1sarge1) stable-security; urgency=high "ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions." And I didn't talk about Postfix, bind, ... | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
|
|
All packages from debian stable and debian security repositories are up to date. Debian policy prefers backporting security patches rather then updating versions in stable repositories... |
|
|
The version number reported by the webserver is a Debian version number: CAcert is using "PHP/4.3.9-1", but the current Debian stable is "PHP/4.3.10-16". As -1 or -16 is not a PHP version (as far as I know) I still believe that there is something wrong. Maybe you're using a source mirror that isn't updated anymore? Could you please copy /etc/apt/source.list and tell me the version of apache and php as it is reported by the packetmanager? |
|
|
security fixes are released through the security repository... |
|
|
I was talking to the Debian guys on LinuxTag today. They were telling me that the CAcert version of PHP is defentily NOT current. Possible reason for this bug: CAcert is using oldstable aka woody. There is no PHP version 4.3.9 in woody (irrc the maxium is 4.1.something. The current version has been installed manually using a deb-package from a different source. The current woody versions with security patches applied is lower than 4.3.9 so they will never get installed. This may be the case for other packages aswell. Duanes, you or someone else should check with every installed program that it is really a current and secure version! |
|
|
Reminder sent to: duane Please don´t forget this bug! |
|
|
Bluec: Can you provide a tool or step-by-step guideline how to check all packages, whether they are current? |
|
|
Duane: Didn´t you compile the PHP version yourself? |
|
|
FYI. Severity: High Title: PHP: Multiple vulnerabilities Date: May 08, 2006 Gentoo-ID: 200605-08 Description =========== Several vulnerabilities were discovered on PHP4 and PHP5 by Infigo, Tonu Samuel and Maksymilian Arciemowicz. These included a buffer overflow in the wordwrap() function, restriction bypasses in the copy() and tempname() functions, a cross-site scripting issue in the phpinfo() function, a potential crash in the substr_compare() function and a memory leak in the non-binary-safe html_entity_decode() function. Impact ====== Remote attackers might be able to exploit these issues in PHP applications making use of the affected functions, potentially resulting in the execution of arbitrary code, Denial of Service, execution of scripted contents in the context of the affected site, security bypass or information leak. |
|
|
It seems to me as if someone updated PHP. I guess it's OK to close this bug now. > Can you provide a tool or step-by-step guideline > how to check all packages, whether they are current? Well, this should normally be done by the package manager and/or security update system. First step would be to identify all manually installed/updated/modified packages. Then you find out which version is installed and check the internet for updates. There is nothing else you could do (port scanning the server as I did it initially is only helpful for major issues and may overlook something). |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2006-04-12 23:57 |
|
New Issue | |
| 2006-04-21 06:14 | duane | Status | new => closed |
| 2006-04-21 06:14 | duane | Note Added: 0000160 | |
| 2006-04-21 06:14 | duane | Resolution | open => won't fix |
| 2006-04-21 20:09 |
|
Note Added: 0000184 | |
| 2006-04-21 20:10 |
|
Status | closed => needs feedback |
| 2006-04-21 20:10 |
|
Resolution | won't fix => reopened |
| 2006-04-21 20:54 | duane | Status | needs feedback => closed |
| 2006-04-21 20:54 | duane | Note Added: 0000187 | |
| 2006-04-21 20:54 | duane | Resolution | reopened => not fixable |
| 2006-04-24 05:13 |
|
Assigned To | => bluec |
| 2006-04-24 05:13 |
|
Status | closed => needs work |
| 2006-05-04 22:53 |
|
Note Added: 0000216 | |
| 2006-05-04 22:53 |
|
Assigned To | bluec => duane |
| 2006-05-04 22:53 |
|
Resolution | not fixable => open |
| 2006-05-08 01:53 | Sourcerer | Note Added: 0000219 | |
| 2006-05-08 02:14 | Sourcerer | Note Added: 0000220 | |
| 2006-05-08 02:15 | Sourcerer | Note Added: 0000221 | |
| 2006-05-09 17:55 |
|
Note Added: 0000223 | |
| 2006-05-16 23:54 |
|
Note Added: 0000229 | |
| 2006-05-16 23:54 |
|
Status | needs work => closed |
| 2006-05-16 23:54 |
|
Resolution | open => fixed |
| 2013-01-14 03:33 | Werner Dworak | Fixed in Version | => 2006 |
| 2013-11-20 22:23 | NEOatNHNG | View Status | private => public |
