Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 25 Mar 2016 12:01:48 -0400 (EDT)
From: cve-assign@...re.org
To: tyhicks@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@....net
Subject: Re: CVE Request: PHP last release security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I see a similar bug and fix in the PHP 5.x branch:
> 
>   https://bugs.php.net/bug.php?id=70081
>   https://git.php.net/?p=php-src.git;a=commitdiff;h=c96d08b27226193dd51f2b50e84272235c6aaa69
> 
> Note that the bug was filed in 2015. It was fixed in 5.6.12

Bug 70081 is divided into two parts: "The first problem lies how
zend_hash_get_current_key is called" and "Second problem is a few
lines later."

> Does CVE-2016-3185 cover the issue in 5.x, as well?

The CVE ID for the 5.x issue that was addressed by the
https://git.php.net/?p=php-src.git;a=commit;h=eaf4e77190d402ea014207e9a7d5da1a4f3727ba
code change is CVE-2016-3185. (Ideally, this would've had a
CVE-2015-#### number but we're not changing that now.)

We have assigned a new ID, CVE-2015-8835, for the "The first problem"
section of Bug 70081.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW9WAMAAoJEL54rhJi8gl5qaUQAIxfKaCFTJc+dKpEi5rE5HKL
WI3ZrnboUrMbauC2jj4lfXtSLYf2efuVip3ztYzhqwTuoTJrP5+csl4ZcQ1I3ryu
zZNhlnAPTYz16x1nX/j+SMlABoXTpt5Om8py3pzXTpjFKK4+Suy200ilHkGEJKp+
SKr76jUkhk9tkjuVSJaLzZKPvCnLK26uLspqgDeEsnRA08NfP37MeXVtxuUMazG3
s+agZdoGBVNmBi0UwpNRYOqnD8mF7YmFkjDP2Rn6HstacgbbmeLQceb2nDPNzNqC
okPsxq3UM0mmiOzK7g/I7CmqaYauRG/jHK7Gh53JY1vpDs+PND6qvy/T5omnpB7X
Av7cFzHOjmgy0Exl1ByqrSLgXz7jPZv3tNhtb2xaR3+HMF7ZPWXaNVKMl5bNdkDM
WEgZv1DAU8jXfJVvx9tmp9qrRHH3Aole2+ezmz3gRHSVbdXZ+YqO+UMwNoe0GDSE
w0kka5auFBrBfpljgVBkNmH84+6e+cjQbcxlMasfwo7SE70bgQd+Ro/y0QH0fGbY
OrlrHbd/QJ1RlrRUCEShnrcCgMXn/hcK8UGFiFmXC3YIobDwvCjS23ITEHEJN2c1
VcKoZMCcTd7PrpAhwfHc9gCJ5E1pEAcF/XtqLR9xKQSLoUgH23IeV9zr0kYbOQbe
veMxkk/NH3vUm6PS15VK
=AhMF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.