Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Aug 2010 13:00:28 +0200
From: Tomas Hoger <>
Cc:, Moritz Muehlenhoff <>,
        "Steven M.
 Christey" <>
Subject: Re: CVE request: PHP MOPS-2010-56..60

On Fri, 20 Aug 2010 12:38:31 +0200 Pierre Joye wrote:

> > MOPS-2010-056 - MOPS-2010-060 as subject indicates.  Those are
> > mysqlnd issues and session serializer issue allowing data
> > injection.  Not any from that set of interruption issues that
> > exposed one or two problems in different ways.
> As far as I can tell and see, both the mysqlnd and session issues have
> been fixed.

Raphael posted commit links earlier in this thread.

> Phar:

I'm aware of that commit.  It does not change
php_stream_wrapper_log_error invocation from phar_stream_flush, as
mentioned in MOPS-2010-024:

Hence the question if there is some less obvious change that make that
particular cases non-issue too.

> As far as I remember, the resources related issues are not fixed (-22
> and -03), it is also not new and related to the same bug. I also don't
> think that it will get fixed any time soon as it is not possible to
> fix easily. I think there is already a CVE about this problem.

Are you aware of any good reference that covers the issue
in greater detail?

Thank you!

Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ