[pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
Julien Cristau
jcristau at debian.org
Sat Feb 20 14:25:13 UTC 2016
Control: tags -1 moreinfo
On Wed, Feb 3, 2016 at 21:40:22 -0400, David Prévot wrote:
> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian.org at packages.debian.org
> Usertags: pu
>
> Hi,
>
> As agreed with the security team, we’d like to fix CVE-2016-1902 via
> p-u. The patch is “a bit” bigger than usual (homemade implementation
> replaced by a proper embedded one), sorry about that. Thanks in advance
> for considering it.
>
> symfony (2.3.21+dfsg-4+deb8u3) jessie; urgency=medium
>
> [ Daniel Beyer ]
> * Backport a security fix from 2.3.37
> - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902]
>
> [ David Prévot ]
> * Add copyright entry for embeded paragonie/random_compat
>
> Please note that the only component touch by this fix
> (php-symfony-security) has no (external) reverse dependencies in Jessie.
>
Why have a fallback at all? When would openssl be expected to fail?
Cheers,
Julien
More information about the pkg-php-pear
mailing list