[pkg-php-pear] Fixes for CVE-2015-6723

Alessandro Ghedini ghedo at debian.org
Thu Sep 3 13:07:43 UTC 2015


On Mon, Aug 31, 2015 at 11:50:46PM -0400, David Prévot wrote:
> Hi,
> 
> After uploading the fixed packages in unstable and experimental 
> for CVE-2015-6723, I just prepared and built (but not yet tested) fixed
> packages for Jessie. Since applications need to run with a umask of 0 in
> order to exploit this “local arbitrary code execution with privileges of
> other users (privilege escalation)” issue, upstream “consider
> exploitabilty to be low to medium.” [0]
> 
> 	0: http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html
> 
> If you agree with upstream point of view, maybe this issue won’t
> deserve a DSA, and I’ll ask the release team to include the proposed
> fixes in time for 8.3.

Yeah, I think this is better fixed via proposed-updates. However note that the
CVE is CVE-2015-5723, not CVE-2015-6723.

I just marked the issue as no-dsa in the security tracker.

Cheers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20150903/d8fa4982/attachment.sig>


More information about the pkg-php-pear mailing list