Date: Wed, 3 Nov 2010 09:07:19 +0100 From: Sebastian Krahmer <krahmer@...e.de> To: oss-security@...ts.openwall.com Subject: Re: utf-8 security issue in php JFYI, our php maintainer found that 5.2 seems to use same xml.c so a patch is needed too. Sebastian On Tue, Nov 02, 2010 at 08:08:58PM +0100, Pierre Joye wrote: > hi, > > On Tue, Nov 2, 2010 at 6:10 PM, Vincent Danen <vdanen@...hat.com> wrote: > > * [2010-11-02 16:35:25 +0100] Pierre Joye wrote: > > > >> On Tue, Nov 2, 2010 at 3:24 PM, Josh Bressers <bressers@...hat.com> wrote: > >> > >>> As best as I can tell, this only needs one ID. Please use CVE-2010-3870. > >> > >> Thanks, I updated the bug report and the NEWS file. > >> > >> Please note that only 5.3 and later contains this fix. 5.3.4 will have the > >> fix. > > > > Are you saying that 5.3 and later _need_ this fix? I.e. that this > > doesn't affect earlier versions? Can you clarify? Thanks. > > This comment was not very clear, sorry. > > I'm saying that 5.3 and later have been changed to fix this problem. I > have no idea if 5.2 requires a fix and won't investigate either (sadly > no time). It was more for the CVE description, to be sure that the > mention of 5.3+ will be present. > > Cheers, > -- > Pierre > > @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@...e.de - SuSE Security Team ~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ