oss-sec mailing list archives
Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Thu, 21 Apr 2016 13:46:49 -0400
On 2016-04-21 01:42 PM, Salvatore Bonaccorso wrote:
Hi, On Mon, Apr 11, 2016 at 09:41:41PM +0200, Matthias Geerdsen wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, could you please provide CVE IDs for the following PHP issues fixed in the latest releases, as I have not yet seen any IDs yet: - - Buffer over-write in finfo_open with malformed magic file https://bugs.php.net/bug.php?id=71527 http://bugs.gw.com/view.php?id=522 - - Integer overflow in php_raw_url_encode https://bugs.php.net/bug.php?id=71798 https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c 1661db6ba2c451 - - php_snmp_error() Format String Vulnerability https://bugs.php.net/bug.php?id=71704 https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060 ce9c9269bbdcf8 - - Invalid memory write in phar on filename containing \0 inside name https://bugs.php.net/bug.php?id=71860 https://gist.github.com/smalyshev/80b5c2909832872f2ba2 - - AddressSanitizer: negative-size-param (-1) in mbfl_strcut https://bugs.php.net/bug.php?id=71906 https://gist.github.com/smalyshev/d8355c96a657cc5dba70Can CVE identiers be assigned for those? The recent Ubuntu USN 2952-1 as well fixed some other issues without CVE identifers, cf. http://www.ubuntu.com/usn/usn-2952-1/
FYI, here is information on the two issues that didn't have CVE numbers in the Ubuntu update: 1- libxml_disable_entity_loader setting is shared between threads https://bugs.php.net/bug.php?id=64938 https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817 http://framework.zend.com/security/advisory/ZF2015-06 http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9 2- openssl_random_pseudo_bytes() is not cryptographically secure https://bugs.php.net/bug.php?id=70014 https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1534203 http://git.php.net/?p=php-src.git;a=commit;h=16023f3e3b9c06cf677c3c980e8d574e4c162827 Marc.
Current thread:
- CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases Matthias Geerdsen (Apr 11)
- Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases Salvatore Bonaccorso (Apr 21)
- Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases Marc Deslauriers (Apr 21)
- Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases cve-assign (Apr 23)
- Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20 and 5.5.34 releases Salvatore Bonaccorso (Apr 21)