Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 483212 (CVE-2013-4248) - <dev-lang/php-{5.4.20,5.5.4}: Man-in-the-Middle attack (CVE-2013-4248)
Summary: <dev-lang/php-{5.4.20,5.5.4}: Man-in-the-Middle attack (CVE-2013-4248)
Status: RESOLVED FIXED
Alias: CVE-2013-4248
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-31 22:59 UTC by GLSAMaker/CVETool Bot
Modified: 2014-08-31 11:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2013-08-31 22:59:20 UTC
CVE-2013-4248 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4248):
  The openssl_x509_parse function in openssl.c in the OpenSSL module in PHP
  before 5.4.18 and 5.5.x before 5.5.2 does not properly handle a '\0'
  character in a domain name in the Subject Alternative Name field of an X.509
  certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL
  servers via a crafted certificate issued by a legitimate Certification
  Authority, a related issue to CVE-2009-2408.


Maintainers, please pick a version to stable.
Comment 1 Chris Reffett gentoo-dev Security 2013-09-25 14:21:26 UTC
@maintainers: ping, do you want to stable .18, .19, or .20?
Comment 2 Ole Markus With (RETIRED) gentoo-dev 2013-09-25 14:36:17 UTC
5.4.20 (and 5.5.4) would be preferred.
Comment 3 Sean Amoss gentoo-dev Security 2013-09-26 20:24:22 UTC
(In reply to Ole Markus With from comment #2)
> 5.4.20 (and 5.5.4) would be preferred.

Great, thanks!

Arches, please test and mark stable:
=dev-lang/php-5.4.20
=dev-lang/php-5.5.4
Target keywords: "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Jeroen Roovers gentoo-dev 2013-09-28 14:09:14 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2013-09-28 20:35:21 UTC
(In reply to Ole Markus With from comment #2)
> 5.4.20 (and 5.5.4) would be preferred.

What about php-5.3 for this cve?
Comment 6 Agostino Sarubbo gentoo-dev 2013-09-28 21:03:27 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-09-28 21:03:41 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-09-29 08:19:15 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-09-29 08:19:25 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-09-30 06:19:22 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-09-30 06:19:35 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-10-06 15:19:59 UTC
alpha stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-10-13 11:18:49 UTC
sparc stable
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2013-10-14 02:45:06 UTC
Maintainers, please clean up vulnerable versions of: dev-lang/php

Thank you.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2013-11-05 01:25:25 UTC
GLSA Vote
Comment 16 Sergey Popov gentoo-dev 2013-12-04 07:46:42 UTC
(In reply to Agostino Sarubbo from comment #5)
> What about php-5.3 for this cve?

Official page said that this vulnerability was fixed only for 5.4 and 5.5 branches, so, it seems 5.3.27 does not contain fix for this.

@maintainers: your thoughts?
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2013-12-30 01:51:27 UTC
Bug 492784 - is about to be stabilized so this will be fixed in those branches.
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2013-12-30 05:27:56 UTC
Maintainer(s), please drop the vulnerable version.

The tree goes back a way.
Comment 19 Agostino Sarubbo gentoo-dev 2014-04-13 12:00:24 UTC
cleanup done time ago.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-15 04:11:33 UTC
Added to an existing GLSA request.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 10:49:45 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 11:26:32 UTC
This issue was resolved and addressed in
 GLSA 201408-11 at http://security.gentoo.org/glsa/glsa-201408-11.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).