From fredrik at rinnestam.se Wed Aug 14 14:35:41 2013 From: fredrik at rinnestam.se (Fredrik Rinnestam) Date: Wed, 14 Aug 2013 16:35:41 +0200 Subject: [crux-devel] [oeriksson@mandriva.com: [oss-security] CVE Request -- php - handling of certs with null bytes] Message-ID: <20130814143541.GB682@zoidberg.obra.lan> ----- Forwarded message from Oden Eriksson ----- Date: Wed, 14 Aug 2013 10:47:06 +0200 From: Oden Eriksson To: oss-security at lists.openwall.com Subject: [oss-security] CVE Request -- php - handling of certs with null bytes User-Agent: KMail/4.10.5 (Linux/3.8.13.4-desktop-1.mga3; KDE/4.10.5; x86_64; ; ) Hello, A similar flaw as in ruby and python was discovered and fixed for php. ruby - CVE-2013-4073 python - CVE-2013-4238 php - CVE-2013-???? http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/[1] Upstream fixes: http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755[2] http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897[3] _https://bugs.mageia.org/show_bug.cgi?id=10997_ Cheers. -------- [1] http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ [2] http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755 [3] http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897 ----- End forwarded message ----- -- Fredrik Rinnestam -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From jue at jue.li Fri Aug 16 07:02:47 2013 From: jue at jue.li (Juergen Daubert) Date: Fri, 16 Aug 2013 09:02:47 +0200 Subject: [crux-devel] [oeriksson@mandriva.com: [oss-security] CVE Request -- php - handling of certs with null bytes] In-Reply-To: <20130814143541.GB682@zoidberg.obra.lan> References: <20130814143541.GB682@zoidberg.obra.lan> Message-ID: <20130816070247.GA20812@jue.netz> On Wed, Aug 14, 2013 at 04:35:41PM +0200, Fredrik Rinnestam wrote: > ----- Forwarded message from Oden Eriksson ----- > > Date: Wed, 14 Aug 2013 10:47:06 +0200 > From: Oden Eriksson > To: oss-security at lists.openwall.com > Subject: [oss-security] CVE Request -- php - handling of certs with null bytes > User-Agent: KMail/4.10.5 (Linux/3.8.13.4-desktop-1.mga3; KDE/4.10.5; x86_64; ; ) > > Hello, > A similar flaw as in ruby and python was discovered and fixed for php. > > ruby - CVE-2013-4073 > python - CVE-2013-4238 > php - CVE-2013-???? > > http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/[1] > > Upstream fixes: > > http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755[2] > > http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897[3] > > > _https://bugs.mageia.org/show_bug.cgi?id=10997_ > > Cheers. > > -------- > [1] http://www.ruby-lang.org/en/news/2013/06/27/hostname-check-bypassing-vulnerability-in-openssl-client-cve-2013-4073/ > [2] http://git.php.net/?p=php-src.git;a=commit;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755 > [3] http://git.php.net/?p=php-src.git;a=commit;h=2874696a5a8d46639d261571f915c493cd875897 > > ----- End forwarded message ----- > Thanks for the info! Testing new php 5.4.18, which includes a fix for this bug, right now. Greetings Juergen From alan+crux at mizrahi.com.ve Wed Aug 28 10:48:55 2013 From: alan+crux at mizrahi.com.ve (Alan Mizrahi) Date: Wed, 28 Aug 2013 19:48:55 +0900 Subject: [crux-devel] prt-get --group Message-ID: <137798620.DAT9u72eeq@ares> Hi people, I made a change in prt-get to add a --group parameter. When --group is present the operation becomes a group operation, and a failure to install or upgrade a package makes prt-get stop. So: prt-get grpinst ... Becomes: prt-get install --group ... But one can also use it with the other invocations: prt-get update --group ... prt-get depinst --group ... prt-get sysup --group This renders grpinst obsolete, so the patch also removes it. Any opinions? Best regards, Alan Mizrahi -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: prt-get-group.patch Type: text/x-patch Size: 13711 bytes Desc: not available URL: From fredrik at rinnestam.se Fri Aug 30 17:02:38 2013 From: fredrik at rinnestam.se (Fredrik Rinnestam) Date: Fri, 30 Aug 2013 19:02:38 +0200 Subject: [crux-devel] prt-get --group In-Reply-To: <137798620.DAT9u72eeq@ares> References: <137798620.DAT9u72eeq@ares> Message-ID: <20130830170238.GA12772@zoidberg.obra.lan> On Wed, Aug 28, 2013 at 07:48:55PM +0900, Alan Mizrahi wrote: > Hi people, > > I made a change in prt-get to add a --group parameter. > When --group is present the operation becomes a group operation, and a failure to > install or upgrade a package makes prt-get stop. > > So: > prt-get grpinst ... > > Becomes: > prt-get install --group ... > > But one can also use it with the other invocations: > prt-get update --group ... > prt-get depinst --group ... > prt-get sysup --group > > This renders grpinst obsolete, so the patch also removes it. > > Any opinions? Hey Alan. Sorry for the late reply. Its not because i lack appreciation or interest, just have been busy ;) Hopefully this weekend i'll have some time/energy over to dive into your changes. -- Fredrik Rinnestam