Re: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var()

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Ondrej Surý <ondrej@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, 601619@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: [php-maint] Bug#601619: CVE-2010-3710: DoS in filter_var()
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sun, 07 Nov 2010 19:20:46 +0000
Message-id: <[🔎] 1289157646.27850.7049.camel@hathi.jungle.funky-badger.org>
In-reply-to: <20101028162411.GA2464@galadriel.inutil.org>
References: <20101027203751.6339.52681.reportbug@localhost.localdomain> <AANLkTim_etttwbGKgrTK7=A7mhyv+NYiXEG9TjfUqLm_@mail.gmail.com> <20101028162411.GA2464@galadriel.inutil.org>

On Thu, 2010-10-28 at 18:24 +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 27, 2010 at 11:45:21PM +0200, Ond??ej Surý wrote:
> > Hi Moritz and Adam,
> > 
> > I have prepared 5.3.3-3 in the git, but I would like to seek
> > debian-release(Adam) advice how to proceed. Adam has unblocked 5.3.3-2
> > (with prolonged delay to 15 days)... btw thanks for that ...  so
> > should I upload 5.3.3-3 with this fix or wait for 5.3.3-2 to go to
> > testing and then upload 5.3.3-3 with urgency=high and request an
> > unblock again?
> 
> This issue doesn't seem urgent. I would recommend to let 5.3.3-2
> with the current age-days and followup with the CVE-2010-3710
> after that.
> 
> Maybe this would also allow the PHP maintainers to include a final
> fix for 546164?

5.3.3-2 has now migrated to testing.  The upstream fix for CVE-2010-3710
looks small and sane enough to be included in a -3 upload.  From reading
the log for 546164 I'm not sure what the fix would look like, but would
be prepared to look at fixing it in squeeze.

Regards,

Adam

Reply to:

Prev by Date: Bug#602736: RM: funguloids/1.06-8
Next by Date: Please unblock debarchiver
Previous by thread: Bug#602736: marked as done (RM: funguloids/1.06-8)
Next by thread: Please unblock debarchiver
Index(es):
- Date
- Thread