[pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
Daniel Beyer
dabe at deb.ymc.ch
Sat Feb 20 18:04:42 UTC 2016
Hi,
On Sat, 2016-02-20 at 10:59 -0400, David Prévot wrote:
> H,
>
> Le 20/02/2016 10:25, Julien Cristau a écrit :
> > Control: tags -1 moreinfo
> […]
> >> symfony (2.3.21+dfsg-4+deb8u3) jessie; urgency=medium
> >>
> >> [ Daniel Beyer ]
> >> * Backport a security fix from 2.3.37
> >> - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902]
> […]
> > Why have a fallback at all? When would openssl be expected to fail?
>
> Since php5 in Debian is built with openssl, my understanding is it would
> only be used on environments where it has been rebuilt with OpenSSL
> support turned off (I’m not sure one can deactivate it at run time, so
> openssl_random_pseudo_bytes() should always be available in a default
> Debian setup if I understood correctly).
>
> Daniel, can you confirm or provide more information about Julien’s question?
>
From what I understand, it would not be enough to only remove the
fallback and rely on openssl_random_pseudo_bytes(): This function might
silently return weak random data, as stated in the design decisions [1]
for the patched-in random_compat. Sadly this aspect is not mentioned by
upstream for CVE-2016-1902 [2].
1: https://github.com/paragonie/random_compat/blob/master/ERRATA.md
2: http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails
Greetings
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20160220/9d77811e/attachment.sig>
More information about the pkg-php-pear
mailing list