Yves-Alexis Perez wrote... > ------------------------------------------------------------------------- > Debian Security Advisory DSA-3074-1 secur...@debian.org > http://www.debian.org/security/ Yves-Alexis Perez > November 18, 2014 http://www.debian.org/security/faq > ------------------------------------------------------------------------- > > Package : php5 > CVE ID : CVE-2014-3710 > Debian Bug : 68283
Um, that number is wrong. It isn't #768283 either.
Worse, that update broke things:
| From: root@<host-redacted> (Cron Daemon)
| To: root@<host-redacted>
| Subject: Cron <root@<host-redacted>> [ -x /usr/lib/php5/maxlifetime ] && [
-x /usr/lib/php5/sessionclean ] && [ -d /var/lib/php5 ] &&
/usr/lib/php5/sessionclean /var/lib/php5 $(/usr/lib/php5/maxlifetime)
|
| sed: invalid option -- 'z'
| Usage: sed [OPTION]... {script-only-if-no-other-script} [input-file]...
|
| -n, --quiet, --silent
| suppress automatic printing of pattern space
The -z option isn't available in the wheezy version of sed. For the
records, this is the change in sessionclean:
--- /tmp/sessionclean 2014-10-20 11:03:53.000000000 +0200
+++ /usr/lib/php5/sessionclean 2014-11-18 08:02:56.000000000 +0100
@@ -1,7 +1,7 @@
#!/bin/sh
# first find all used files and touch them (hope it's not massive amount of
files)
-[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" | awk -- '{ if (NR > 1)
{ print $9; } }' | xargs -i touch -c {}
+[ -x /usr/bin/lsof ] && /usr/bin/lsof -w -l +d "${1}" -F0 | sed -zne "s/^n//p"
| xargs -0i echo touch -c -h "'{}'"
# find all files older then maxlifetime
find "${1}" -depth -mindepth 1 -maxdepth 1 -ignore_readdir_race -type f -cmin
"+${2}" -delete
Regards,
Christoph
signature.asc
Description: Digital signature
