Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20120504205717.GD15689@suse.de>
Date: Fri, 4 May 2012 22:57:18 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: PHP-CGI query string parameter vulnerability (CVE-2012-1823 / CVE-2012-2311, CERT VU#520827)

On Sat, May 05, 2012 at 12:22:19AM +0400, Solar Designer wrote:
> Hi,
> 
> I guess most of you have heard of this one already, yet it should be in
> here as well.  The original issue was tracked as CERT VU#520827,
> CVE-2012-1823.  PHP 5.4.2 and 5.3.12 were released with an incomplete
> fix, and apparently CVE-2012-2311 refers to that incomplete fix issue.
> 
> http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
> http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html
> http://www.kb.cert.org/vuls/id/520827
> http://www.reddit.com/r/PHP/comments/t3pr8/how_serious_is_this/
> http://www.reddit.com/r/netsec/comments/t4lxw/phpcgi_query_string_parameter_vulnerability_leads/
> http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html
> http://www.opennet.ru/opennews/art.shtml?num=33765 (in Russian)

What I find particulary interesting is that the reporters apparently notified PHP
on January 17th. :/

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.