Re: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var()
On Thu, 2010-10-28 at 18:24 +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 27, 2010 at 11:45:21PM +0200, Ond??ej Surý wrote:
> > Hi Moritz and Adam,
> > I have prepared 5.3.3-3 in the git, but I would like to seek
> > debian-release(Adam) advice how to proceed. Adam has unblocked 5.3.3-2
> > (with prolonged delay to 15 days)... btw thanks for that ... so
> > should I upload 5.3.3-3 with this fix or wait for 5.3.3-2 to go to
> > testing and then upload 5.3.3-3 with urgency=high and request an
> > unblock again?
> This issue doesn't seem urgent. I would recommend to let 5.3.3-2
> with the current age-days and followup with the CVE-2010-3710
> after that.
> Maybe this would also allow the PHP maintainers to include a final
> fix for 546164?
5.3.3-2 has now migrated to testing. The upstream fix for CVE-2010-3710
looks small and sane enough to be included in a -3 upload. From reading
the log for 546164 I'm not sure what the fix would look like, but would
be prepared to look at fixing it in squeeze.