[php-maint] Bug#657698: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Carlos Alberto Lopez Perez clopez at igalia.com
Thu Feb 2 21:56:01 UTC 2012


On 02/02/12 14:43, Carlos Alberto Lopez Perez wrote:
> On 02/02/12 14:31, Stefan Esser wrote:
>> considering the fact that you write this email the very same day that a remote code execution vulnerability in PHP is found that is easy to exploit from remote and is greatly mitigated by the use of Suhosin you look pretty stupid. (In case of usage of Suhosin-Extension in default config, it is even completely killed).
>>
>> Just saying.
>>
> 
> I think that you words are out of tone, there is not need to be unpolite
> 
> 
> And where is such exploit??? I don't see any CVE
> 

Answering myself:


-------- Original Message --------
From: Tomas Hoger <thoger at redhat.com>
To: OSS Security <oss-security at lists.openwall.com>
Cc: security at php.net, Stefan Esser <stefan.esser at sektioneins.de>
Subject: [oss-security] PHP remote code execution introduced via HashDoS fix

Hi!

Internets are buzzing with info on the PHP flaw found by Stefan Esser
in the fix for CVE-2011-4885.

http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html
http://svn.php.net/viewvc?view=revision&revision=323007

This got CVE-2012-0830 assigned earlier today.  This is sent to make
the assignment public and avoid possible duplicate assignment.

-- 
Tomas Hoger / Red Hat Security Response Team




-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carlos Alberto Lopez Perez                           http://neutrino.es
Igalia - Free Software Engineering                http://www.igalia.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20120202/43648145/attachment-0002.pgp>


More information about the pkg-php-maint mailing list