Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160325160148.285AE3AE004@smtpvbsrv1.mitre.org>
Date: Fri, 25 Mar 2016 12:01:48 -0400 (EDT)
From: cve-assign@...re.org
To: tyhicks@...onical.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, security@....net
Subject: Re: CVE Request: PHP last release security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I see a similar bug and fix in the PHP 5.x branch:
> 
>   https://bugs.php.net/bug.php?id=70081
>   https://git.php.net/?p=php-src.git;a=commitdiff;h=c96d08b27226193dd51f2b50e84272235c6aaa69
> 
> Note that the bug was filed in 2015. It was fixed in 5.6.12

Bug 70081 is divided into two parts: "The first problem lies how
zend_hash_get_current_key is called" and "Second problem is a few
lines later."

> Does CVE-2016-3185 cover the issue in 5.x, as well?

The CVE ID for the 5.x issue that was addressed by the
https://git.php.net/?p=php-src.git;a=commit;h=eaf4e77190d402ea014207e9a7d5da1a4f3727ba
code change is CVE-2016-3185. (Ideally, this would've had a
CVE-2015-#### number but we're not changing that now.)

We have assigned a new ID, CVE-2015-8835, for the "The first problem"
section of Bug 70081.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW9WAMAAoJEL54rhJi8gl5qaUQAIxfKaCFTJc+dKpEi5rE5HKL
WI3ZrnboUrMbauC2jj4lfXtSLYf2efuVip3ztYzhqwTuoTJrP5+csl4ZcQ1I3ryu
zZNhlnAPTYz16x1nX/j+SMlABoXTpt5Om8py3pzXTpjFKK4+Suy200ilHkGEJKp+
SKr76jUkhk9tkjuVSJaLzZKPvCnLK26uLspqgDeEsnRA08NfP37MeXVtxuUMazG3
s+agZdoGBVNmBi0UwpNRYOqnD8mF7YmFkjDP2Rn6HstacgbbmeLQceb2nDPNzNqC
okPsxq3UM0mmiOzK7g/I7CmqaYauRG/jHK7Gh53JY1vpDs+PND6qvy/T5omnpB7X
Av7cFzHOjmgy0Exl1ByqrSLgXz7jPZv3tNhtb2xaR3+HMF7ZPWXaNVKMl5bNdkDM
WEgZv1DAU8jXfJVvx9tmp9qrRHH3Aole2+ezmz3gRHSVbdXZ+YqO+UMwNoe0GDSE
w0kka5auFBrBfpljgVBkNmH84+6e+cjQbcxlMasfwo7SE70bgQd+Ro/y0QH0fGbY
OrlrHbd/QJ1RlrRUCEShnrcCgMXn/hcK8UGFiFmXC3YIobDwvCjS23ITEHEJN2c1
VcKoZMCcTd7PrpAhwfHc9gCJ5E1pEAcF/XtqLR9xKQSLoUgH23IeV9zr0kYbOQbe
veMxkk/NH3vUm6PS15VK
=AhMF
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.