|
Message-ID: <20120504224002.GG70483@dojo.mi.org>
Date: Fri, 4 May 2012 18:40:02 -0400
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)
:On Sat, May 05, 2012 at 12:22:19AM +0400, Solar Designer wrote:
:> Hi,
:>
:> I guess most of you have heard of this one already, yet it should be in
:> here as well. The original issue was tracked as CERT VU#520827,
:> CVE-2012-1823. PHP 5.4.2 and 5.3.12 were released with an incomplete
:> fix, and apparently CVE-2012-2311 refers to that incomplete fix issue.
:>
:> http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
:> http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html
:> http://www.kb.cert.org/vuls/id/520827
:> http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/
:> http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/
:> http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html
:> http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian)
:
:What I find particulary interesting is that the reporters apparently notified PHP
:on January 17th. :/
...but the associated PHP bug appears to have only been opened on May
2nd. I wonder if it slipped through some cracks because it was being
handled outside of "normal" bug processes. Hmmm...
--
Michael J. O'Connor mjo@...o.mi.org
=--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"Potluck supper: prayer and medication to follow." -Anguished English
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.