On 02/02/12 14:43, Carlos Alberto Lopez Perez wrote: > On 02/02/12 14:31, Stefan Esser wrote: >> considering the fact that you write this email the very same day that a >> remote code execution vulnerability in PHP is found that is easy to exploit >> from remote and is greatly mitigated by the use of Suhosin you look pretty >> stupid. (In case of usage of Suhosin-Extension in default config, it is even >> completely killed). >> >> Just saying. >> > > I think that you words are out of tone, there is not need to be unpolite > > > And where is such exploit??? I don't see any CVE >
Answering myself: -------- Original Message -------- From: Tomas Hoger <tho...@redhat.com> To: OSS Security <oss-secur...@lists.openwall.com> Cc: secur...@php.net, Stefan Esser <stefan.es...@sektioneins.de> Subject: [oss-security] PHP remote code execution introduced via HashDoS fix Hi! Internets are buzzing with info on the PHP flaw found by Stefan Esser in the fix for CVE-2011-4885. http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/ http://www.h-online.com/security/news/item/Critical-PHP-vulnerability-being-fixed-1427316.html http://svn.php.net/viewvc?view=revision&revision=323007 This got CVE-2012-0830 assigned earlier today. This is sent to make the assignment public and avoid possible duplicate assignment. -- Tomas Hoger / Red Hat Security Response Team -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carlos Alberto Lopez Perez http://neutrino.es Igalia - Free Software Engineering http://www.igalia.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
signature.asc
Description: OpenPGP digital signature
