[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA-2089-1] New php5 packages fix several vulnerabilities



Raphael Geissert wrote:

> MOPS-60
> 
>     The default sessions serializer does not correctly handle a special
> marker, which allows an attacker to inject arbitrary variables into the
> session and possibly exploit vulnerabilities in the unserializer.
> 
>     For the vulnerability described by CVE-2010-1128 (predictable entropy
> for the Linear Congruential Generator used to generate session ids,) we
> do not consider upstream's solution to be sufficient.  It is recommended
> to uncomment the 'session.entropy_file' and 'session.entropy_length'
> settings in the php.ini files.
>     Further improvements can be achieved by setting 'session.hash_function'
> to 1 (one) and incrementing the value of 'session.entropy_length.'

bofh@warp:~ $ egrep '(entropy|hash_function)' /etc/php5/apache2/php.ini
session.entropy_length = 0
session.entropy_file =
;session.entropy_length = 16
;session.entropy_file = /dev/urandom
session.hash_function = 0

Lees jij dit soort mails eigenlijk wel aandachtig, of wacht je tot dat
ik dat doe en jou waarschuw?   :P

-- 
Groetjes
Harrie


Reply to: