oss-sec mailing list archives
Issues without CVE names in PHP 5.3.4/5.2.15 release
From: Vincent Danen <vdanen () redhat com>
Date: Mon, 13 Dec 2010 09:33:00 -0700
Looking at the PHP web site, there are a few issues fixed in the most recent releases that don't seem to have a CVE name: * Fixed crash in zip extract method (possible CWE-170). * Fixed symbolic resolution support when the target is a DFS share. * Fixed extract() to do not overwrite $GLOBALS and $this when using EXTR_OVERWRITE. Also doesn't seem to be much info on these readily available. The first seems to be related to this SVN commit (don't see a bug for it): http://svn.php.net/viewvc?view=revision&revision=305848 The second seems to be Windows-specific and is this bug (haven't found the SVN commit for it yet): http://bugs.php.net/bug.php?id=51945 The third seems to be 5.2-specific (no mention in the 5.3 changes), but I've not yet found the bug or SVN commit. Do these have CVE names yet? --Vincent Danen / Red Hat Security Response Team
Current thread:
- Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Raphael Geissert (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Vincent Danen (Dec 13)
- Re: Issues without CVE names in PHP 5.3.4/5.2.15 release Pierre Joye (Dec 13)