Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Jul 2017 10:40:51 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: Salvatore Bonaccorso <carnil@...ian.org>,
	"security@....net" <security@....net>
Subject: Re: CVE IDs needed for PHP vulnerabilites (affects
 5.6.30 and 7.0.20)

Hi Lior,

Do you want to request CVEs via the webform? If not, I could do it.

Ciao, Marcus
On Wed, Jul 05, 2017 at 03:50:58PM +0300, Lior Kaplan wrote:
> AFAIK, when the issue is already public the list is just fine.
> 
> From the cve-assign auto reply:
> 
> "In the special case of communications involving a publicly known
> vulnerability on the oss-security mailing list, please do not use
> the https://cveform.mitre.org web site at this time, and instead
> send new or followup messages directly to that mailing list."
> 
> Kaplan
> 
> On Wed, Jul 5, 2017 at 3:34 PM, Salvatore Bonaccorso <carnil@...ian.org>
> wrote:
> 
> > Hi
> >
> > On Wed, Jul 05, 2017 at 02:37:00PM +0300, Lior Kaplan wrote:
> > > Hi,
> > >
> > > The following issues have been reported and fixed in PHP. At the moment
> > > they are part of PHP 7.0.21 release. The fixes are also included in the
> > 5.6
> > > branch and will be part of 5.6.31 when it will be released.
> > >
> > > #73807 Performance problem with processing post request over 2000000
> > chars
> > > https://bugs.php.net/bug.php?id=73807
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> > 0f8cf3b8497dc45c010c44ed9e96518e11e19fc3
> > >
> > > #74145 wddx parsing empty boolean tag leads to SIGSEGV
> > > https://bugs.php.net/bug.php?id=74145
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> > 2aae60461c2ff7b7fbcdd194c789ac841d0747d7
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> > f269cdcd4f76accbecd03884f327cffb9a7f1ca9
> > >
> > > #74651 negative-size-param (-1) in memcpy in zif_openssl_seal()
> > > https://bugs.php.net/bug.php?id=74651
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> > 89637c6b41b510c20d262c17483f582f115c66d6
> > >
> > > #74819 wddx_deserialize() heap out-of-bound read via php_parse_date()
> > > https://bugs.php.net/bug.php?id=74819
> > > PHP 5.6 -
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> > 2aae60461c2ff7b7fbcdd194c789ac841d0747d7
> > > PHP 7.0  -
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> > 6b18d956de38ecd8913c3d82ce96eb0368a1f9e5
> > >
> > > Also, requests from past releases:
> > >
> > > PHP 5.6.28 + 7.0.13
> > > #73192 parse_url return wrong hostname
> > > https://bugs.php.net/bug.php?id=73192
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> > b061fa909de77085d3822a89ab901b934d0362c4
> > >
> > > 5.6.30 + 7.0.15
> > > #73773 Seg fault when loading hostile phar
> > > https://bugs.php.net/bug.php?id=73773
> > > http://git.php.net/?p=php-src.git;a=commitdiff;h=
> > e5246580a85f031e1a3b8064edbaa55c1643a451
> >
> > CVE assignement requests are not handled anymore directly via the
> > oss-security list, but need to be filled/requested at
> > https://cveform.mitre.org/
> >
> > Once CVE are assigned, can you repost them here for benefit of other
> > reader?
> >
> > Regards,
> > Salvatore
> >

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ