oss-sec mailing list archives
Re: Re: NULL byte poisoning fix in php 5.3.4+
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 9 Dec 2010 10:20:57 -0500 (EST)
On Thu, 9 Dec 2010, Pierre Joye wrote:
We fixed it for all file functions. See the link to the commit for more details about which codes have been changed. Do we need a CVE for every function? I hope not :)
Not really - if all functions were fixed in the same version, then that's not "textbook" CVE but close enough.
The main drivers for my question were (a) were there any other issues that remain unfixed, and (b) in general we try to have the year portion of CVE IDs align with publication (except for year-crossing time frames like Dec/Jan). In this case it might have been more reasonable to assign a 1999 CVE, but the 2006 assignment isn't horrible either...
- Steve
Current thread:
- NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Nov 18)
- Re: NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Nov 18)
- Re: NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Nov 22)
- Re: Re: NULL byte poisoning fix in php 5.3.4+ Josh Bressers (Nov 22)
- Re: Re: NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Nov 29)
- Re: Re: NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Dec 09)
- Re: Re: NULL byte poisoning fix in php 5.3.4+ Steven M. Christey (Dec 09)
- Re: Re: NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Dec 09)
- Re: Re: NULL byte poisoning fix in php 5.3.4+ Steven M. Christey (Dec 09)
- Re: NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Nov 22)
- Re: NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Nov 18)
- Re: Re: NULL byte poisoning fix in php 5.3.4+ Pierre Joye (Dec 09)