Package: php5 Severity: serious Tags: security Hi, A bug in crypt_blowfish was reported [1,2,3]. The RH report [4] may be useful too.
The function BF_set_key in ./ext/standard/crypt_blowfish.c is vulnerable. Can you confirm that the bug affects the Debian packages? If so, please, considerer providing patches for stable and oldstable besides sid. The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2483. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. [1] http://www.openwall.com/lists/oss-security/2011/06/20/2 [2] http://www.openwall.com/lists/john-dev/2011/06/20/3 [3] http://www.openwall.com/lists/john-dev/2011/06/20/5 [4] https://bugzilla.redhat.com/show_bug.cgi?id=715025 -luciano -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
