|
Message-Id: <201208291326.35248.geissert@debian.org> Date: Wed, 29 Aug 2012 13:26:34 -0500 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Subject: php header() header injection detection bypass Hi, Reviewing a list of CVE ids that were assigned from the Debian CNA pool, I noticed there is one [id] for php5 that hasn't been made public yet the issue has already been re-re-reported and in this one last round finally fixed. I'm talking about https://bugs.php.net/60227 It was independently reported by two persons but as of this time their reports (#54182 and #54006) are still hidden behind the "security bug" curtain of PHP's bug tracker. Back when they were reported, I had assigned the following id: CVE-2011-1398 "header injection detection bypass." Note that the id only applies to the CR bypass part of the issue. Then it came this other report (#60227, originally reported as #60028 by the same person but tagged security, which hid it too), which lead to finally fixing the bug (but please beware of the original fix by reading [1]). Unless I missed something, the CR bypass issue was never assigned a CVE id once it became public. Please do correct me if I'm wrong. [1] http://article.gmane.org/gmane.comp.php.devel/70584 Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.