oss-sec mailing list archives
php header() header injection detection bypass
From: Raphael Geissert <geissert () debian org>
Date: Wed, 29 Aug 2012 13:26:34 -0500
Hi, Reviewing a list of CVE ids that were assigned from the Debian CNA pool, I noticed there is one [id] for php5 that hasn't been made public yet the issue has already been re-re-reported and in this one last round finally fixed. I'm talking about https://bugs.php.net/60227 It was independently reported by two persons but as of this time their reports (#54182 and #54006) are still hidden behind the "security bug" curtain of PHP's bug tracker. Back when they were reported, I had assigned the following id: CVE-2011-1398 "header injection detection bypass." Note that the id only applies to the CR bypass part of the issue. Then it came this other report (#60227, originally reported as #60028 by the same person but tagged security, which hid it too), which lead to finally fixing the bug (but please beware of the original fix by reading [1]). Unless I missed something, the CR bypass issue was never assigned a CVE id once it became public. Please do correct me if I'm wrong. [1] http://article.gmane.org/gmane.comp.php.devel/70584 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- php header() header injection detection bypass Raphael Geissert (Aug 29)
- Re: php header() header injection detection bypass Kurt Seifried (Aug 31)
- Re: php header() header injection detection bypass Raphael Geissert (Aug 31)
- Re: php header() header injection detection bypass Kurt Seifried (Sep 01)
- Re: php header() header injection detection bypass Eygene Ryabinkin (Sep 04)
- Re: php header() header injection detection bypass cve-assign (Sep 04)
- Re: Re: php header() header injection detection bypass Raphael Geissert (Sep 04)
- Re: php header() header injection detection bypass cve-assign (Sep 05)
- Re: Re: php header() header injection detection bypass Raphael Geissert (Sep 06)
- Re: php header() header injection detection bypass Raphael Geissert (Aug 31)
- Re: Re: php header() header injection detection bypass Eygene Ryabinkin (Sep 04)
- Re: php header() header injection detection bypass Kurt Seifried (Aug 31)