Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 5 Jul 2017 15:50:58 +0300
From: Lior Kaplan <kaplanlior@...il.com>
To: Salvatore Bonaccorso <carnil@...ian.org>
Cc: oss-security@...ts.openwall.com, "security@....net" <security@....net>
Subject: Re: CVE IDs needed for PHP vulnerabilites (affects
 5.6.30 and 7.0.20)

AFAIK, when the issue is already public the list is just fine.

>From the cve-assign auto reply:

"In the special case of communications involving a publicly known
vulnerability on the oss-security mailing list, please do not use
the https://cveform.mitre.org web site at this time, and instead
send new or followup messages directly to that mailing list."

Kaplan

On Wed, Jul 5, 2017 at 3:34 PM, Salvatore Bonaccorso <carnil@...ian.org>
wrote:

> Hi
>
> On Wed, Jul 05, 2017 at 02:37:00PM +0300, Lior Kaplan wrote:
> > Hi,
> >
> > The following issues have been reported and fixed in PHP. At the moment
> > they are part of PHP 7.0.21 release. The fixes are also included in the
> 5.6
> > branch and will be part of 5.6.31 when it will be released.
> >
> > #73807 Performance problem with processing post request over 2000000
> chars
> > https://bugs.php.net/bug.php?id=73807
> > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> 0f8cf3b8497dc45c010c44ed9e96518e11e19fc3
> >
> > #74145 wddx parsing empty boolean tag leads to SIGSEGV
> > https://bugs.php.net/bug.php?id=74145
> > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> 2aae60461c2ff7b7fbcdd194c789ac841d0747d7
> > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> f269cdcd4f76accbecd03884f327cffb9a7f1ca9
> >
> > #74651 negative-size-param (-1) in memcpy in zif_openssl_seal()
> > https://bugs.php.net/bug.php?id=74651
> > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> 89637c6b41b510c20d262c17483f582f115c66d6
> >
> > #74819 wddx_deserialize() heap out-of-bound read via php_parse_date()
> > https://bugs.php.net/bug.php?id=74819
> > PHP 5.6 -
> > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> 2aae60461c2ff7b7fbcdd194c789ac841d0747d7
> > PHP 7.0  -
> > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> 6b18d956de38ecd8913c3d82ce96eb0368a1f9e5
> >
> > Also, requests from past releases:
> >
> > PHP 5.6.28 + 7.0.13
> > #73192 parse_url return wrong hostname
> > https://bugs.php.net/bug.php?id=73192
> > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> b061fa909de77085d3822a89ab901b934d0362c4
> >
> > 5.6.30 + 7.0.15
> > #73773 Seg fault when loading hostile phar
> > https://bugs.php.net/bug.php?id=73773
> > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> e5246580a85f031e1a3b8064edbaa55c1643a451
>
> CVE assignement requests are not handled anymore directly via the
> oss-security list, but need to be filled/requested at
> https://cveform.mitre.org/
>
> Once CVE are assigned, can you repost them here for benefit of other
> reader?
>
> Regards,
> Salvatore
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ