[pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3

Julien Cristau jcristau at debian.org
Sat Feb 20 14:25:13 UTC 2016


Control: tags -1 moreinfo

On Wed, Feb  3, 2016 at 21:40:22 -0400, David Prévot wrote:

> Package: release.debian.org
> Severity: normal
> Tags: jessie
> User: release.debian.org at packages.debian.org
> Usertags: pu
> 
> Hi,
> 
> As agreed with the security team, we’d like to fix CVE-2016-1902 via
> p-u. The patch is “a bit” bigger than usual (homemade implementation
> replaced by a proper embedded one), sorry about that. Thanks in advance
> for considering it.
> 
> symfony (2.3.21+dfsg-4+deb8u3) jessie; urgency=medium
> 
>   [ Daniel Beyer ]
>   * Backport a security fix from 2.3.37
>     - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902]
> 
>   [ David Prévot ]
>   * Add copyright entry for embeded paragonie/random_compat
> 
> Please note that the only component touch by this fix
> (php-symfony-security) has no (external) reverse dependencies in Jessie.
> 
Why have a fallback at all?  When would openssl be expected to fail?

Cheers,
Julien




More information about the pkg-php-pear mailing list