[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [php-maint] php5 testing transition

On Sat, May 5, 2012 20:49, Adam D. Barratt wrote:
> On Sat, 2012-05-05 at 20:39 +0200, Ondrej Sury wrote:
>> > For some reason I had it in my head that 5.4.2 was the upstream
>> version
>> > with the fixed fix rather than the not-quite fixed fix.
>>
>> I think this is the case (e.g. 5.4.2 is the fixed version).
>
> I assume Thijs was referring to CVE-2012-2311, which covers the fix in
> 5.4.2 being incomplete.

PHP 5.4.2 does not fix the issue. Please see:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html
https://twitter.com/i0n1c/status/198158078913417216


Cheers,
Thijs
Reply to: