Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 481004 (CVE-2011-4718) - <dev-lang/php-5.5.2 : session fixation vulnerability allows remote hijacking of sessions (CVE-2011-4718)
Summary: <dev-lang/php-5.5.2 : session fixation vulnerability allows remote hijacking ...
Status: RESOLVED FIXED
Alias: CVE-2011-4718
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A4 [glsa]
Keywords:
Depends on: 480460
Blocks:
  Show dependency tree
 
Reported: 2013-08-14 09:08 UTC by Agostino Sarubbo
Modified: 2014-08-31 11:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-08-14 09:08:12 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4718 to
the following vulnerability:

Name: CVE-2011-4718
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4718
Assigned: 20111209
Reference: https://bugs.php.net/bug.php?id=60491
Reference: https://wiki.php.net/rfc/strict_sessions
Reference: http://git.php.net/?p=php-src.git;a=commit;h=169b78eb79b0e080b67f9798708eb3771c6d0b2f
Reference: http://git.php.net/?p=php-src.git;a=commit;h=25e8fcc88fa20dc9d4c47184471003f436927cde

Session fixation vulnerability in the Sessions subsystem in PHP before
5.5.2 allows remote attackers to hijack web sessions by specifying a
session ID.


@maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
Comment 1 Chris Reffett gentoo-dev Security 2013-08-14 23:57:10 UTC
I assume that this doesn't affect 5.3 and 5.4?
Comment 2 Agostino Sarubbo gentoo-dev 2013-08-23 13:02:33 UTC
Arches, please test and mark stable:
=dev-lang/php-5.5.2
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-08-23 14:24:14 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2013-08-23 14:24:25 UTC
x86 stable
Comment 5 Sergey Popov gentoo-dev 2013-08-24 05:48:54 UTC
Thanks for your work

GLSA vote: yes
Comment 6 Sergey Popov gentoo-dev 2013-08-24 05:51:12 UTC
Oh, wait, there is bug #480460, dropping state to "stable blocked" then
Comment 7 Ole Markus With (RETIRED) gentoo-dev 2013-08-24 06:19:25 UTC
(In reply to Sergey Popov from comment #6)
> Oh, wait, there is bug #480460, dropping state to "stable blocked" then

As far as I understand 5.3 and 5.4 are unaffected, and s390 has not been stabilised for 5.5 yet, so I don't think this one should be stable blocked.
Comment 8 Sergey Popov gentoo-dev 2013-08-24 08:29:56 UTC
(In reply to Ole Markus With from comment #7)
> As far as I understand 5.3 and 5.4 are unaffected, and s390 has not been
> stabilised for 5.5 yet, so I don't think this one should be stable blocked.

Also, s390 is not supported security arch, so, yeah, my bad. Continue voting...
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:19:08 UTC
CVE-2011-4718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4718):
  Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2
  allows remote attackers to hijack web sessions by specifying a session ID.
Comment 10 Chris Reffett gentoo-dev Security 2013-09-25 14:38:02 UTC
Added to existing GLSA draft.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 10:49:37 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:26:25 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).