[pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
dabe at deb.ymc.ch
Sat Feb 20 18:04:42 UTC 2016
On Sat, 2016-02-20 at 10:59 -0400, David Prévot wrote:
> Le 20/02/2016 10:25, Julien Cristau a écrit :
> > Control: tags -1 moreinfo
> >> symfony (2.3.21+dfsg-4+deb8u3) jessie; urgency=medium
> >> [ Daniel Beyer ]
> >> * Backport a security fix from 2.3.37
> >> - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902]
> > Why have a fallback at all? When would openssl be expected to fail?
> Since php5 in Debian is built with openssl, my understanding is it would
> only be used on environments where it has been rebuilt with OpenSSL
> support turned off (I’m not sure one can deactivate it at run time, so
> openssl_random_pseudo_bytes() should always be available in a default
> Debian setup if I understood correctly).
> Daniel, can you confirm or provide more information about Julien’s question?
From what I understand, it would not be enough to only remove the
fallback and rely on openssl_random_pseudo_bytes(): This function might
silently return weak random data, as stated in the design decisions 
for the patched-in random_compat. Sadly this aspect is not mentioned by
upstream for CVE-2016-1902 .
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the pkg-php-pear