On Mon, Oct 05, 2015 at 12:32:33AM +0200, Ondřej Surý wrote: > On Mon, Oct 5, 2015, at 00:20, brian m. carlson wrote: > > On Sun, Oct 04, 2015 at 09:55:43PM +0200, Ondřej Surý wrote: > > > Hi Brian, > > > > > > did you already reported this to php security or should I do that? > > > > You should probably do that. > > I already did. > > > I didn't contact PHP Security or the > > Debian Security Team because I expect that due to similar > > vulnerabilities in other languages, any attacker already knows about > > this and can exploit it with minimal effort. Secrecy doesn't therefore > > benefit anyone, so I just filed a bug. > > Yeah, I agree. Just they are the guys who will have to fix it, so it > would have been faster to start with them.
This still hasn't been fixed upstream after over a year. Security Team, can you allocate a CVE for this, please? Perhaps that will get upstream moving. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature