From ${URL} : Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4718 to the following vulnerability: Name: CVE-2011-4718 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4718 Assigned: 20111209 Reference: https://bugs.php.net/bug.php?id=60491 Reference: https://wiki.php.net/rfc/strict_sessions Reference: http://git.php.net/?p=php-src.git;a=commit;h=169b78eb79b0e080b67f9798708eb3771c6d0b2f Reference: http://git.php.net/?p=php-src.git;a=commit;h=25e8fcc88fa20dc9d4c47184471003f436927cde Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
I assume that this doesn't affect 5.3 and 5.4?
Arches, please test and mark stable: =dev-lang/php-5.5.2 Target keywords : "amd64 x86"
amd64 stable
x86 stable
Thanks for your work GLSA vote: yes
Oh, wait, there is bug #480460, dropping state to "stable blocked" then
(In reply to Sergey Popov from comment #6) > Oh, wait, there is bug #480460, dropping state to "stable blocked" then As far as I understand 5.3 and 5.4 are unaffected, and s390 has not been stabilised for 5.5 yet, so I don't think this one should be stable blocked.
(In reply to Ole Markus With from comment #7) > As far as I understand 5.3 and 5.4 are unaffected, and s390 has not been > stabilised for 5.5 yet, so I don't think this one should be stable blocked. Also, s390 is not supported security arch, so, yeah, my bad. Continue voting...
CVE-2011-4718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4718): Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.
Added to existing GLSA draft.
This issue was resolved and addressed in GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml by GLSA coordinator Kristian Fiskerstrand (K_F).