Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 21 Apr 2016 19:42:20 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Cc: security@....net, Lior Kaplan <kaplan@...ian.org>,
	Ondřej Surý <ondrej@...ian.org>
Subject: Re: CVE request: PHP issues fixed in 7.0.5, 5.6.20
 and 5.5.34 releases

Hi,

On Mon, Apr 11, 2016 at 09:41:41PM +0200, Matthias Geerdsen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hi,
> 
> could you please provide CVE IDs for the following PHP issues fixed in
> the latest releases, as I have not yet seen any IDs yet:
> 
> - -  Buffer over-write in finfo_open with malformed magic file
> https://bugs.php.net/bug.php?id=71527
> http://bugs.gw.com/view.php?id=522
> 
> - - Integer overflow in php_raw_url_encode
> https://bugs.php.net/bug.php?id=71798
> https://git.php.net/?p=php-src.git;a=commit;h=95433e8e339dbb6b5d5541473c
> 1661db6ba2c451
> 
> 
> - - php_snmp_error() Format String Vulnerability
> https://bugs.php.net/bug.php?id=71704
> https://git.php.net/?p=php-src.git;a=commit;h=6e25966544fb1d2f3d7596e060
> ce9c9269bbdcf8
> 
> 
> - - Invalid memory write in phar on filename containing \0 inside name
> https://bugs.php.net/bug.php?id=71860
> https://gist.github.com/smalyshev/80b5c2909832872f2ba2
> 
> 
> - - AddressSanitizer: negative-size-param (-1) in mbfl_strcut
> https://bugs.php.net/bug.php?id=71906
> https://gist.github.com/smalyshev/d8355c96a657cc5dba70

Can CVE identiers be assigned for those?

The recent Ubuntu USN 2952-1 as well fixed some other issues without
CVE identifers, cf. http://www.ubuntu.com/usn/usn-2952-1/

Regards,
Salvatore

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ