[pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3

David Prévot taffit at debian.org
Sat Feb 20 14:59:54 UTC 2016


Le 20/02/2016 10:25, Julien Cristau a écrit :
> Control: tags -1 moreinfo
>> symfony (2.3.21+dfsg-4+deb8u3) jessie; urgency=medium
>>   [ Daniel Beyer ]
>>   * Backport a security fix from 2.3.37
>>     - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902]
> Why have a fallback at all?  When would openssl be expected to fail?

Since php5 in Debian is built with openssl, my understanding is it would
only be used on environments where it has been rebuilt with OpenSSL
support turned off (I’m not sure one can deactivate it at run time, so
openssl_random_pseudo_bytes() should always be available in a default
Debian setup if I understood correctly).

Daniel, can you confirm or provide more information about Julien’s question?



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20160220/9cf16253/attachment.sig>

More information about the pkg-php-pear mailing list