From $URL : PHP 5.3.9 to 5.3.13 disclose arbitrary memory when an empty $data string is passed to openssl_encrypt. It was introduced with the following commit: http://git.php.net/?p=php-src.git;a=commitdiff;h=095cbc48a8f0090f3b0abc6155f2b61943c9eafb and was fixed in 5.3.14 with the following: http://git.php.net/?p=php-src.git;a=commitdiff;h=270a406ac94b5fc5cc9ef59fc61e3b4b95648a3e Bugs: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1099793 https://bugs.php.net/bug.php?id=61413
CVE-2012-6113 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6113): The openssl_encrypt function in ext/openssl/openssl.c in PHP 5.3.9 through 5.3.13 does not initialize a certain variable, which allows remote attackers to obtain sensitive information from process memory by providing zero bytes of input data.
These versions of php are no longer in the main tree.
Closing noglsa. Users have already been advised to update in GLSA 201209-03.
