[php-maint] Bug#800564: Bug#800564: php5: trivial hash complexity DoS attack
brian m. carlson
sandals at crustytoothpaste.net
Sun Oct 2 19:04:19 UTC 2016
On Mon, Oct 05, 2015 at 12:32:33AM +0200, Ondřej Surý wrote:
> On Mon, Oct 5, 2015, at 00:20, brian m. carlson wrote:
> > On Sun, Oct 04, 2015 at 09:55:43PM +0200, Ondřej Surý wrote:
> > > Hi Brian,
> > >
> > > did you already reported this to php security or should I do that?
> >
> > You should probably do that.
>
> I already did.
>
> > I didn't contact PHP Security or the
> > Debian Security Team because I expect that due to similar
> > vulnerabilities in other languages, any attacker already knows about
> > this and can exploit it with minimal effort. Secrecy doesn't therefore
> > benefit anyone, so I just filed a bug.
>
> Yeah, I agree. Just they are the guys who will have to fix it, so it
> would have been faster to start with them.
This still hasn't been fixed upstream after over a year. Security Team,
can you allocate a CVE for this, please? Perhaps that will get upstream
moving.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20161002/6a80a2ee/attachment.sig>
More information about the pkg-php-maint
mailing list