CVE-2013-4248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4248): The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Maintainers, please pick a version to stable.
@maintainers: ping, do you want to stable .18, .19, or .20?
5.4.20 (and 5.5.4) would be preferred.
(In reply to Ole Markus With from comment #2) > 5.4.20 (and 5.5.4) would be preferred. Great, thanks! Arches, please test and mark stable: =dev-lang/php-5.4.20 =dev-lang/php-5.5.4 Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
(In reply to Ole Markus With from comment #2) > 5.4.20 (and 5.5.4) would be preferred. What about php-5.3 for this cve?
amd64 stable
x86 stable
ppc stable
ppc64 stable
arm stable
ia64 stable
alpha stable
sparc stable
Maintainers, please clean up vulnerable versions of: dev-lang/php Thank you.
GLSA Vote
(In reply to Agostino Sarubbo from comment #5) > What about php-5.3 for this cve? Official page said that this vulnerability was fixed only for 5.4 and 5.5 branches, so, it seems 5.3.27 does not contain fix for this. @maintainers: your thoughts?
Bug 492784 - is about to be stabilized so this will be fixed in those branches.
Maintainer(s), please drop the vulnerable version. The tree goes back a way.
cleanup done time ago.
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
