On Fri, Sep 19, 2014 at 6:49 PM, Remi Collet <r...@fedoraproject.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Le 19/09/2014 18:25, Daniel Lowrey a écrit : >>>> In an effort to fix a very old (seven years old) DoS >>>> vulnerability involving encrypted streams I created a >>>> regression where feof() notifications on encrypted sockets are >>>> broken. This is present in both the most recent 5.4.33 and >>>> 5.5.17 releases. >> >>> Can you please point us to the related commit... (which one cause >>> the regression, which ones are useful) >> >> In 5.4.33 and 5.5.17 an immediate fix is to revert these commits: >> >> http://git.php.net/?p=php-src.git;a=commitdiff;h=6569db88081562f68a4f79e52cba83482bdf05fc >> >> >> http://git.php.net/?p=php-src.git;a=commitdiff;h=372844918a318ad712e16f9ec636682424a65403 >> >> >> http://git.php.net/?p=php-src.git;a=commitdiff;h=32be79dcfa1bc5af8682d9f512da68c5b3e2cbf3 >> >> The last of these (32be79d) has already been fixed upstream by >> f86b2193a483f56b0bd056570a0cdb57ebe66e2f but this change did not go >> into 5.4.33 and 5.5.17. Any reverts should also consider f86b2193. >> >>> Does a revert of the first enough to get back to previous >>> behavior? >> >> Yes, reverting the above commits above will fix any issues. I'm >> awaiting word from someone associated with Horde to verify that the >> previously linked patch ( >> https://bugs.php.net/patch-display.php?bug=41631&patch=bug41631.patch&revision=1411139621) >> >> > resolves the issue. As long as that works as expected I can merge that and >> everything should be resolved going forward. >> > > After a quick check > > 6569db8 and 32be79d are in 5.4.33 / 5.5.17 / 5.6.1RC1 > f86b219 and 3728449 are in 5.6.1RC1 only > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAlQcXrUACgkQYUppBSnxahgfigCfUYmoYXJJYC0JKmLi/tg+mo1r > mwwAoNXbDpPsdrVfzFWUy4tuOssqR256 > =OUHp > -----END PGP SIGNATURE----- > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >
Hi, That's a bad thing we need to fix ASAP. I think for 5.6.1 we'll revert it , if not, we'll need an RC2, which is something we usually don't do (but as this could involve security, we may do it). The fix can be merged to 5.5.18RC1, next week, to have an RC cycle if not part of a 5.6.1RC2 (tag is tomorrow) 5.6 and 5.5 actually overlap in the release weeks. 5.6 is planned on odd weeks whereas 5.5 is on even weeks. Waiting for Ferenc's advice anyway. Julien.P -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
