Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 14 Aug 2013 21:07:28 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Oden Eriksson <oeriksson@...driva.com>
Subject: Re: CVE Request -- php - handling of certs with null
 bytes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/14/2013 02:47 AM, Oden Eriksson wrote:
> Hello, A similar flaw as in ruby and python was discovered and
> fixed for php.
> 
> ruby - CVE-2013-4073 python - CVE-2013-4238 php - CVE-2013-????
> 
> http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/[1]
>
>  Upstream fixes:
> 
> http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755[2]
>
>  
> http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897[3]
>
> 
> 
> _https://bugs.mageia.org/show_bug.cgi?id=10997_
> 
> Cheers.
> 
> -------- [1]
> http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/
>
> 
[2]
http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
> [3]
> http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897
>
> 
Please use CVE-2013-4248 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSDEXwAAoJEBYNRVNeJnmTX/YP+wT0llGEspdTT6wBYCIs++TI
QRrEDmZMlNinVtipL9pMBEElIIIiF+qsvNS/v6yaDnGk+oOvyl2HrmV/ZUhEXX+s
QN2t/FcXFddn3/uWJqCmpcf84cJB0Tyo1yh9HXqEcp6vNP13IoFVKfK2EXUY9tDT
GcjkpLJLYtqa3nLnNkkLwlBukZH2T2sJs7oBdpfbOuKYeJSKD10waekRz0CK/X44
wdw2c1hhhkI2EGIyhrcM4KP9+WV2eh7QRvSXVaVLANlzMVQmlxqRimvrX8mbo2VD
n3SeMXV0Yx/ULi2vYI7pqj454B5BaOkszg6kRN1GyBO/0DY5ae605uRuHERs2ks3
82BMATyOUvohOacTFjWegDG5zsKW94zBBHIIG3DcHzbaN+Wogn0F8Hh5g5ZnD8ie
uUMyTVI0NlC6wFLIir8HUf2wDvG0QjCp5cwM6prqQJM0Pmp0vNJ8SLhux1beUpwT
zEy8BFCcqIexso5njRO7BJ+rjmh0AOohL8OXDXTjbwP/HMTv7zg0QKHeKp4QUx8J
RlArRX96ITWXQwXDubcxXOAlvqmILLhwXLQC+RYGekRhuHzUSlQGpT2zQT1PbraZ
lIfdUuQnTgxu3pGkcu6xS0T63nTiuovGRRKZlFuIrj/27j+/44a0Uqd9U5FyuXoA
ygv/GCkJSgcSjaRl1+gx
=QgvB
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ