Bug#813653: [pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
Hi Julien, Can you give a short update regarding the proposed symfony/2.3.21+dfsg-4+deb8u3, fixing CVE-2016-1902? It might be a bit late, but it would be great to have this fixed in 8.4, which is about to be released. Do you need any further information from us? Greetings Daniel signature.asc Description: This is a digitally signed message part
Bug#813653: [pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
Hi, On Sat, 2016-02-20 at 10:59 -0400, David Prévot wrote: > H, > > Le 20/02/2016 10:25, Julien Cristau a écrit : > > Control: tags -1 moreinfo > […] > >> symfony (2.3.21+dfsg-4+deb8u3) jessie; urgency=medium > >> > >> [ Daniel Beyer ] > >> * Backport a security fix from 2.3.37 > >> - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902] > […] > > Why have a fallback at all? When would openssl be expected to fail? > > Since php5 in Debian is built with openssl, my understanding is it would > only be used on environments where it has been rebuilt with OpenSSL > support turned off (I’m not sure one can deactivate it at run time, so > openssl_random_pseudo_bytes() should always be available in a default > Debian setup if I understood correctly). > > Daniel, can you confirm or provide more information about Julien’s question? > From what I understand, it would not be enough to only remove the fallback and rely on openssl_random_pseudo_bytes(): This function might silently return weak random data, as stated in the design decisions [1] for the patched-in random_compat. Sadly this aspect is not mentioned by upstream for CVE-2016-1902 [2]. 1: https://github.com/paragonie/random_compat/blob/master/ERRATA.md 2: http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails Greetings Daniel signature.asc Description: This is a digitally signed message part
Bug#756508: nmu: twig_1.15.1-1
Am Mittwoch, den 30.07.2014, 16:10 +0200 schrieb Roland Mas: > Daniel Beyer, 2014-07-30 15:23:00 +0200 : > > > > (...) > > > > in the meantime upstream released Twig 1.16.0 and I'm currently updating > > the twig packaging. Instead of doing a nmu, may I asked you to upload > > the new upstream release for me, since I need a sponsor for it. > > I guess I should have it ready in the next few hours. > > Certainly :-) > > Roland. Hi Roland, I just uploaded Twig on mentors. You can grab it from here: http://mentors.debian.net/debian/pool/main/t/twig/twig_1.16.0-1.dsc Thanks in advance for the upload. Daniel signature.asc Description: This is a digitally signed message part
Bug#756508: nmu: twig_1.15.1-1
Am Mittwoch, den 30.07.2014, 14:57 +0200 schrieb Roland Mas: > nmu twig_1.15.1-1 . ALL . -m "Rebuild for phpapi-20131226" > > The twig package was prepared in April, and just passed NEW; in the > meantime, PHP was upgraded in Debian, with a different API. Hence, > one of the binary packages can't install on sid. Since the control > file uses a dynamic variable to generate the dependencies on phpapi-*, > I suppose a binNMU would be the normal way to get an installable > package. > Hi, in the meantime upstream released Twig 1.16.0 and I'm currently updating the twig packaging. Instead of doing a nmu, may I asked you to upload the new upstream release for me, since I need a sponsor for it. I guess I should have it ready in the next few hours. Thanks Daniel signature.asc Description: This is a digitally signed message part
