Debian Bug report logs -
#631283
CVE-2011-2483 crypt_blowfish: 8-bit character mishandling allows different password pairs to produce the same hash
Reported by: Luciano Bello <luciano@debian.org>
Date: Wed, 22 Jun 2011 14:51:06 UTC
Severity: serious
Tags: security
Fixed in version php-suhosin/0.9.33-1
Done: Jan Wagner <waja@cyconet.org>
Bug is archived. No further changes may be made.
Forwarded to user: "stefan.esser" domain: "sektioneins.de"
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>:
Bug#631283; Package php5-suhosin.
(Wed, 22 Jun 2011 14:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>:
New Bug report received and forwarded. Copy sent to php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>.
(Wed, 22 Jun 2011 14:51:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: php5-suhosin
Severity: serious
Tags: security
Hi,
The CVE (Common Vulnerabilities & Exposures) CVE-2011-2483 was
published for php5-suhosin.
A bug in crypt_blowfish was reported [1,2,3]. The function BF_set_key from
crypt_blowfish.c:554 looks vulnerable. The RH report may be useful[4] too.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
[1] http://www.openwall.com/lists/oss-security/2011/06/20/2
[2] http://www.openwall.com/lists/john-dev/2011/06/20/3
[3] http://www.openwall.com/lists/john-dev/2011/06/20/5
[4] https://bugzilla.redhat.com/show_bug.cgi?id=715025
-luciano
Set Bug forwarded-to-address to 'user: "stefan.esser" domain: "sektioneins.de"'.
Request was from Jan Wagner <waja@cyconet.org>
to control@bugs.debian.org.
(Tue, 05 Jul 2011 09:03:31 GMT) (full text, mbox, link).
Reply sent
to Jan Wagner <waja@cyconet.org>:
You have taken responsibility.
(Tue, 24 Jan 2012 21:54:12 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Tue, 24 Jan 2012 21:54:12 GMT) (full text, mbox, link).
Message #12 received at 631283-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Luciano,
I contacted upstream about the issue.
On Mittwoch 22 Juni 2011, Luciano Bello wrote:
> The CVE (Common Vulnerabilities & Exposures) CVE-2011-2483 was
> published for php5-suhosin.
>
> A bug in crypt_blowfish was reported [1,2,3]. The function BF_set_key from
> crypt_blowfish.c:554 looks vulnerable. The RH report may be useful[4] too.
>
> If you fix the vulnerability please also make sure to include the
> CVE id in your changelog entry.
The broken code is not used since php 5.3 and so this is a theoretical
vulnerability (in the unused code). As we are shipping php 5.3 with stable,
this should not be an issue.
Anyways ... the unsued code is removed with recent upstream release.
With kind regards, Jan.
--
Never write mail to <waja@spamfalle.info>, you have been warned!
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
------END GEEK CODE BLOCK------
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Jan Wagner <waja@cyconet.org>:
You have taken responsibility.
(Tue, 24 Jan 2012 22:36:07 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>:
Bug acknowledged by developer.
(Tue, 24 Jan 2012 22:36:07 GMT) (full text, mbox, link).
Message #17 received at 631283-close@bugs.debian.org (full text, mbox, reply):
Source: php-suhosin
Source-Version: 0.9.33-1
We believe that the bug you reported is fixed in the latest version of
php-suhosin, which is due to be installed in the Debian FTP archive:
php-suhosin_0.9.33-1.diff.gz
to main/p/php-suhosin/php-suhosin_0.9.33-1.diff.gz
php-suhosin_0.9.33-1.dsc
to main/p/php-suhosin/php-suhosin_0.9.33-1.dsc
php-suhosin_0.9.33.orig.tar.gz
to main/p/php-suhosin/php-suhosin_0.9.33.orig.tar.gz
php5-suhosin_0.9.33-1_i386.deb
to main/p/php-suhosin/php5-suhosin_0.9.33-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 631283@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jan Wagner <waja@cyconet.org> (supplier of updated php-suhosin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 24 Jan 2012 23:09:33 +0100
Source: php-suhosin
Binary: php5-suhosin
Architecture: source i386
Version: 0.9.33-1
Distribution: unstable
Urgency: low
Maintainer: php-suhosin maintainers <php-suhosin-maintainers@ml.snow-crash.org>
Changed-By: Jan Wagner <waja@cyconet.org>
Description:
php5-suhosin - advanced protection module for php5
Closes: 631283 657190
Changes:
php-suhosin (0.9.33-1) unstable; urgency=low
.
* New upstream version (Closes: #657190, #631283)
- Fixed stack based buffer overflow in transparent cookie encryption
- Fixed environment variables for logging do not go through the filter
extension anymore
- Fixed that disabling HTTP response splitting protection also disabled
NUL byte protection in HTTP headers
- Removed crypt() support - because not used for PHP >= 5.3.0 anyway
* Update watch file, upstream changed naming scheme
Checksums-Sha1:
ac2ed250f8ba273036d1038d786a8c1071467bda 1360 php-suhosin_0.9.33-1.dsc
abb30c22e7fe341955b42ec71ed597c43439e2b8 104488 php-suhosin_0.9.33.orig.tar.gz
1f924e6df42e67cf0c6c9e438571363c51baf8c7 7942 php-suhosin_0.9.33-1.diff.gz
698b72ffe0879f7059104af871e77f612b4007ef 76602 php5-suhosin_0.9.33-1_i386.deb
Checksums-Sha256:
63c56a78500e7f6c7b046dfb7b91a0b622633e0f672c8544db02071b6b4f1948 1360 php-suhosin_0.9.33-1.dsc
865b1c72bae9a5a710fe0b07a0635556ce6c838653ec364d2a2a6e6f594529c5 104488 php-suhosin_0.9.33.orig.tar.gz
318fc0bf5a26ec7e795c670272515fff6313bab7c17ed52162ae9e40b089aca2 7942 php-suhosin_0.9.33-1.diff.gz
51c3382e76e4deabaddfde25a98f88fb260dca14c6ac333bfd342cb5b1c90eb6 76602 php5-suhosin_0.9.33-1_i386.deb
Files:
c32190c0f4d18bc6418e6a89685ce1e3 1360 php optional php-suhosin_0.9.33-1.dsc
0ce498a02a8281e4274ea8e390c2b487 104488 php optional php-suhosin_0.9.33.orig.tar.gz
3112fd751c7f09e4c397daec3caec657 7942 php optional php-suhosin_0.9.33-1.diff.gz
e4300b79e2e5be45ac157ae3b71af5f2 76602 php optional php5-suhosin_0.9.33-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFPHy2H9u6Dud+QFyQRApY6AJsHJVh6oZ0lyvazQNnVEYO5hepGbQCg99P+
RDr+35O709jbOUonzAIieNA=
=2ciy
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 05 May 2013 08:00:56 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:52:08 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon