[php-maint] Bug#631347: Bug#631347: CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash
Ondřej Surý
ondrej at sury.org
Thu Jun 23 05:42:01 UTC 2011
forcemerge 631286 631347
tags 631286 +squeeze wheezy sid
Thank you
Hi,
I already notice the bug when you reported it in postgresql and cloned the bug.
Yes, the php5 is affected, but only squeeze and onwards (writing this from top of my head, so I will better double check).
Security team, can you remove the last not yet published security upload of php5? I'll bundle this CVE in and we will finally release the security update.
Ondřej Surý
On 23.6.2011, at 5:37, Luciano Bello <luciano at debian.org> wrote:
> Package: php5
> Severity: serious
> Tags: security
>
> Hi,
> A bug in crypt_blowfish was reported [1,2,3]. The RH report [4] may be useful
> too.
>
> The function BF_set_key in ./ext/standard/crypt_blowfish.c is vulnerable. Can
> you confirm that the bug affects the Debian packages?
>
> If so, please, considerer providing patches for stable and oldstable besides
> sid.
>
> The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2483.
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
>
> [1] http://www.openwall.com/lists/oss-security/2011/06/20/2
> [2] http://www.openwall.com/lists/john-dev/2011/06/20/3
> [3] http://www.openwall.com/lists/john-dev/2011/06/20/5
> [4] https://bugzilla.redhat.com/show_bug.cgi?id=715025
>
> -luciano
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20110623/af59a0c5/attachment.html>
More information about the pkg-php-maint
mailing list