Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Oct 2016 14:14:26 +0200
From: Remi Collet <>
Subject: Re: CVE assignment for PHP 5.6.27 and 7.0.12

Le 18/10/2016 à 14:06, Adam Maris a écrit :
> On 18/10/16 09:42, Lior Kaplan wrote:
>> Hi,
>> Please assign a CVE for the following issue:
>> Bug #73147    Use After Free in unserialize()
>> Thanks,
>> Kaplan
> 16 bugs marked as 'security' were fixed in php 5.6.27 of which only one
> has CVE assigned.
> Here you request CVE for another one issue (even the documentation says
> it's unsafe to use
> unserialize on untrusted input).
> Are you planning to obtain CVEs also for other security bugs or do you
> treat the rest as
> CVE-unworthy? Or are reporters/community supposed to do it?

All the remaining bugs, despite reported as security issue, involved
some very big strings to reproduce (~2GB)

Which is prevented by any decent memory_limit value
And by max_input_size for remote access.


P.S. just my 0,02€, but indeed, CVE-unworthy

> Thanks!

Download attachment "signature.asc" of type "application/pgp-signature" (247 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ