php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #64360 Premature vulnerability disclosure in changelog
Submitted: 2013-03-05 19:04 UTC Modified: 2013-06-16 23:45 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: sarciszewski at knights dot ucf dot edu Assigned: stas (profile)
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS: Any
Private report: No CVE-ID: None
 [2013-03-05 19:04 UTC] sarciszewski at knights dot ucf dot edu
Description:
------------
https://github.com/php/php-src/blob/php-5.4.13RC1/NEWS

Versus

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1643

In the future, please do not go into detail for a CVE until the patch is released. Even though you guys know, it might as well be a 0day to me because I run 5.4.12 (current stable).

Test script:
---------------
N/A

Expected result:
----------------
- SOAP
  . Fixed security bug (CVE-2013-1635). (Dmitry)
  . Fixed security bug (CVE-2013-1643). (Dmitry)

Actual result:
--------------
- SOAP
  . Added check that soap.wsdl_cache_dir conforms to open_basedir
    (CVE-2013-1635). (Dmitry)
  . Disabled external entities loading (CVE-2013-1643). (Dmitry)

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-16 23:45 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2013-06-16 23:45 UTC] stas@php.net
We'll take it into consideration, thanks.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 07:01:29 2024 UTC