[pkg-php-pear] Symfony in stable: Fix for CVE-2016-4423 in git

David Prévot david at tilapin.org
Tue May 10 14:24:28 UTC 2016


Hi Daniel,

Le 10/05/2016 à 01:40, Daniel Beyer a écrit :

> I prepared a fix for CVE-2016-4423 [1] in branch
> jessie-security/CVE-2016-4423 [2].

Looks good to me, thanks. I rebased it on the updated embedded copy of
paragonie/random_compat in a jessie-security/CVE-2016-4423_bis branch
(since the latest version of php-random-compat currently in Sid and
Stretch had potentially way more testing than the previous version).

> In case this should be fixed via DSA, here is an initial draft for it:

Thanks. Can you please follow up to the security team in order to ask
their opinion on that?

> Note that there is an other CVE (CVE-2016-2403 [3]), which does not
> affect the 2.3 series. But since 2.8 and 3.0 are affected by both
> CVE-2016-2403 and CVE-2016-4423, I'll try to prepare updates to 2.8.6
> and 3.0.6 later today.

Please give also this information for the security team: I may not have
time to update the security tracker myself today.

Regards

David

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20160510/32485063/attachment.sig>


More information about the pkg-php-pear mailing list