>> In an effort to fix a very old (seven years old) DoS vulnerability >> involving encrypted streams I created a regression where feof() >> notifications on encrypted sockets are broken. This is present in >> both the most recent 5.4.33 and 5.5.17 releases.
> Can you please point us to the related commit... > (which one cause the regression, which ones are useful) In 5.4.33 and 5.5.17 an immediate fix is to revert these commits: http://git.php.net/?p=php-src.git;a=commitdiff;h=6569db88081562f68a4f79e52cba83482bdf05fc http://git.php.net/?p=php-src.git;a=commitdiff;h=372844918a318ad712e16f9ec636682424a65403 http://git.php.net/?p=php-src.git;a=commitdiff;h=32be79dcfa1bc5af8682d9f512da68c5b3e2cbf3 The last of these (32be79d) has already been fixed upstream by f86b2193a483f56b0bd056570a0cdb57ebe66e2f but this change did not go into 5.4.33 and 5.5.17. Any reverts should also consider f86b2193. > Does a revert of the first enough to get back to previous behavior? Yes, reverting the above commits above will fix any issues. I'm awaiting word from someone associated with Horde to verify that the previously linked patch ( https://bugs.php.net/patch-display.php?bug=41631&patch=bug41631.patch&revision=1411139621) resolves the issue. As long as that works as expected I can merge that and everything should be resolved going forward.
