[pkg-php-pear] Symfony in stable: Fix for CVE-2016-4423 in git

Daniel Beyer dabe at deb.ymc.ch
Tue May 10 21:48:21 UTC 2016

Hi David,

On Tue, 2016-05-10 at 10:24 -0400, David Prévot wrote:
> Hi Daniel,
> Le 10/05/2016 à 01:40, Daniel Beyer a écrit :
> > I prepared a fix for CVE-2016-4423 [1] in branch
> > jessie-security/CVE-2016-4423 [2].
> Looks good to me, thanks. I rebased it on the updated embedded copy of
> paragonie/random_compat in a jessie-security/CVE-2016-4423_bis branch
> (since the latest version of php-random-compat currently in Sid and
> Stretch had potentially way more testing than the previous version).

Thanks, that's very good.

> > In case this should be fixed via DSA, here is an initial draft for it:
> Thanks. Can you please follow up to the security team in order to ask
> their opinion on that?
> > Note that there is an other CVE (CVE-2016-2403 [3]), which does not
> > affect the 2.3 series. But since 2.8 and 3.0 are affected by both
> > CVE-2016-2403 and CVE-2016-4423, I'll try to prepare updates to 2.8.6
> > and 3.0.6 later today.
> Please give also this information for the security team: I may not have
> time to update the security tracker myself today.

I send the security team a mail them and gave them that info, as you
probably saw (you were in CC).

I prepared 2.8.6 in branch 2.8, which should be ready for a sid upload.
With 3.0.6 I have failing tests - I uploaded my work in branch
wip/dabe/3.0.6 and have a closer look to that tomorrow.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-pear/attachments/20160510/52d70f09/attachment.sig>

More information about the pkg-php-pear mailing list