612930 – <dev-lang/php-{5.6.31,7.0.17}: Denial of Service with large POST content

Bug 612930 - <dev-lang/php-{5.6.31,7.0.17}: Denial of Service with large POST content

Summary: <dev-lang/php-{5.6.31,7.0.17}: Denial of Service with large POST content

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~3 [noglsa ]
Keywords:

Depends on:
Blocks:

Reported:	2017-03-17 16:42 UTC by Brian Evans (RETIRED)
Modified:	2017-09-24 15:07 UTC (History)
CC List:	1 user (show)

See Also:	https://bugs.php.net/bug.php?id=73807
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brian Evans (RETIRED) gentoo-dev

2017-03-17 16:42:02 UTC

The upstream bug[1] describes that processing time increases exponentially as the POST data size increases causing a possible DoS attack.

This is fixed in PHP 7.0.17 and 7.1.3 already in the tree.
PHP 5.6.31 should also include this when upstream releases it


[1] https://bugs.php.net/bug.php?id=73807

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-24 15:07:35 UTC

The fixed versions are already in tree and stable.

Downgrading to ~3 because the vulnerability affects only FreeBSD servers.

Gentoo Security Padawan
ChrisADR