php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67720 Backport security and usability fixes to PHP 5.3
Submitted: 2014-07-30 17:21 UTC Modified: 2016-07-30 14:00 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: neweracracker at gmail dot com Assigned: johannes (profile)
Status: Closed Package: *General Issues
PHP Version: 5.3 OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: neweracracker at gmail dot com
New email:
PHP Version: OS:

 

 [2014-07-30 17:21 UTC] neweracracker at gmail dot com 
Description:
------------
I noticed security related bugfixes were backported to PHP 5.3 branch:
http://git.php.net/?p=php-src.git;a=shortlog;h=refs/heads/PHP-5.3

It is my opinion that there are more two bugfixes to be backported. One is a usability fix for the SSL certificates using GeneralizedTime format, see bugs #65698 and #66636.

Another one is for issues related with type confusion:
http://git.php.net/?p=php-src.git;a=commit;h=b4a4db467b6a1e90131705832f1a3613a60c4259

I have made the following patches, adapted from git commits, against PHP 5.3.28 source tar and there maybe some changes in the current code I have not accounted for.

I would like to see this backported to PHP 5.3 branch. And, when time comes right, a final release for PHP 5.3 (PHP 5.3.29).

Thanks for all the hard work.

Regards,
NewEraCracker

Patches

php5.3.28-type-check-fix-new (last revision 2014-07-30 23:27 UTC by neweracracker at gmail dot com)
php5.3.29dev-bug65698-bug66636 (last revision 2014-07-30 20:50 UTC by neweracracker at gmail dot com)
php5.3.28-type-check-fix (last revision 2014-07-30 17:22 UTC by neweracracker at gmail dot com)
php5.3.28-bug65698-bug66636 (last revision 2014-07-30 17:21 UTC by neweracracker at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-30 17:40 UTC] requinix@php.net
-Status: Open +Status: Wont fix -PHP Version: Irrelevant +PHP Version: 5.3
 [2014-07-30 17:40 UTC] requinix@php.net 
PHP 5.3 is EOL, however it will have one final release for some security fixes.
No usability fixes, no warning fixes.

http://markmail.org/thread/hqzeneo77i35pn5z
 [2014-07-30 20:06 UTC] nikic@php.net
-Assigned To: +Assigned To: johannes
 [2014-07-30 20:06 UTC] nikic@php.net 
@requinix: At least the second patch may be classified as a security fix (same as the phpingo one). And if I understood correctly, the first patch fixes problems (maybe a BC break?) introduced by another security patch.

Assigning johannes so he can check whether or not these should be included.
 [2014-07-30 20:55 UTC] neweracracker at gmail dot com 
That's correct nikic.
 [2014-07-30 21:58 UTC] requinix@php.net
-Status: Wont fix +Status: Open
 [2014-07-30 21:58 UTC] requinix@php.net 
Alright. When I checked the patches I only saw changes to type checks, warning messages, and year calculations. Meanwhile the two bugs didn't mention potential security problems: a Y2K bug that would expire future certs and an incorrect warning about valid dates.

I'll flip this back to open so there's no confusion about why it's wontfix.
 [2016-07-30 14:00 UTC] nikic@php.net
-Status: Assigned +Status: Closed
 [2016-07-30 14:00 UTC] nikic@php.net 
Closing as 5.3.29 is long gone. Looking at the changelog both patches seem to have made it in (http://php.net/ChangeLog-5.php#5.3.29).
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jul 09 23:01:33 2025 UTC