Bug#813653: [pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
On Thu, Mar 31, 2016 at 23:43:03 +0200, Daniel Beyer wrote: > Hi Julien, > > Can you give a short update regarding the proposed > symfony/2.3.21+dfsg-4+deb8u3, fixing CVE-2016-1902? > It might be a bit late, but it would be great to have this fixed in 8.4, > which is about to be released. > > Do you need any further information from us? > I must admit that I have trouble believing that you'd need 1kloc to add a random_bytes function :( Cheers, Julien
Bug#813653: [pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
On Thu, 2016-03-31 at 23:43 +0200, Daniel Beyer wrote: > Hi Julien, > > Can you give a short update regarding the proposed > symfony/2.3.21+dfsg-4+deb8u3, fixing CVE-2016-1902? > It might be a bit late, but it would be great to have this fixed in 8.4, > which is about to be released. Not a comment on this update specifically, but as previously announced and as is standard practice, the window for accepting updates for 8.4 closed last weekend. Yesterday was thus more than "a bit late". Regards, Adam
Bug#813653: [pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
Hi Julien, Can you give a short update regarding the proposed symfony/2.3.21+dfsg-4+deb8u3, fixing CVE-2016-1902? It might be a bit late, but it would be great to have this fixed in 8.4, which is about to be released. Do you need any further information from us? Greetings Daniel signature.asc Description: This is a digitally signed message part
Bug#813653: [pkg-php-pear] Bug#813653: jessie-pu: package symfony/2.3.21+dfsg-4+deb8u3
Hi, On Sat, 2016-02-20 at 10:59 -0400, David Prévot wrote: > H, > > Le 20/02/2016 10:25, Julien Cristau a écrit : > > Control: tags -1 moreinfo > […] > >> symfony (2.3.21+dfsg-4+deb8u3) jessie; urgency=medium > >> > >> [ Daniel Beyer ] > >> * Backport a security fix from 2.3.37 > >> - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902] > […] > > Why have a fallback at all? When would openssl be expected to fail? > > Since php5 in Debian is built with openssl, my understanding is it would > only be used on environments where it has been rebuilt with OpenSSL > support turned off (I’m not sure one can deactivate it at run time, so > openssl_random_pseudo_bytes() should always be available in a default > Debian setup if I understood correctly). > > Daniel, can you confirm or provide more information about Julien’s question? > From what I understand, it would not be enough to only remove the fallback and rely on openssl_random_pseudo_bytes(): This function might silently return weak random data, as stated in the design decisions [1] for the patched-in random_compat. Sadly this aspect is not mentioned by upstream for CVE-2016-1902 [2]. 1: https://github.com/paragonie/random_compat/blob/master/ERRATA.md 2: http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails Greetings Daniel signature.asc Description: This is a digitally signed message part