Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:73248 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81368 invoked from network); 17 Mar 2014 22:07:53 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Mar 2014 22:07:53 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.179 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.217.179 mail-lb0-f179.google.com Received: from [209.85.217.179] ([209.85.217.179:43959] helo=mail-lb0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 59/E3-17561-63277235 for ; Mon, 17 Mar 2014 17:07:52 -0500 Received: by mail-lb0-f179.google.com with SMTP id p9so4099500lbv.38 for ; Mon, 17 Mar 2014 15:07:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=5NT7nZ7yodd3a/FXbnR4G1LYojrZr44bIkq+irR56m8=; b=uogPr2mNRc0A3RN/MEM5oiOxSdXbcu1D1+a0/ndgktoJlHM5jP1Cb4/hPP+4Xak/IZ 2X4Vy6N3k1aPnr9d5mbK1eq6Q5oR5pfVL7fapD1e7xQldEAv48y7M/LtF+KEfrJ5IJ+7 azTNmWp4Vt9htnvEwvqr/058vn569fFdLDEinSupGqS9n0V+hNdSP9cWf22CnfpLVQDL o85qxlt4ZmdttBks2sjFbvFw1KeSMmM5ovTL7nTv9Y1zUbC6wu4oISMYueV+LeHRJk/S j19H1gqEY8+7qXZV4pZTDC+SxRZkLHRKJFC35IdY4kltXUcO03xMJ1JZFLXZsApG0L7R QrWA== X-Received: by 10.112.85.6 with SMTP id d6mr17418238lbz.8.1395094068218; Mon, 17 Mar 2014 15:07:48 -0700 (PDT) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.112.205.73 with HTTP; Mon, 17 Mar 2014 15:07:08 -0700 (PDT) In-Reply-To: References: Date: Tue, 18 Mar 2014 07:07:08 +0900 X-Google-Sender-Auth: sijhi2Cy8Z84CLYjXnA4aA8PaGg Message-ID: To: Andrey Andreev Cc: Pierre Joye , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a11349f4c5d520d04f4d4a6a9 Subject: Re: [PHP-DEV] Session: deprecating create_sid() method and add createSid()? From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a11349f4c5d520d04f4d4a6a9 Content-Type: text/plain; charset=UTF-8 Hi Andrey, On Tue, Mar 18, 2014 at 6:59 AM, Andrey Andreev wrote: > On Mon, Mar 17, 2014 at 11:15 PM, Pierre Joye > wrote: > > hi, > > > > On Mon, Mar 17, 2014 at 10:09 PM, Yasuo Ohgaki > wrote: > > > > For one, I appreciate the effort that both of you put on the session > management. > > > > It seems that you are somehow alone to discuss this issue and slightly > > in circle right now. > > > > I would suggest two steps: > > > > - sit down together for a chat and get your stuff together. It will by > > far more efficient than mails > > > > - write one or more RFCs to fix what should be fixed, how and why (see > > next point :) > > > > - provide more info about the actual critical security impact that > > could be fixed by the changes > > as of now, I failed to see any CVE related to what you are referring to > > We'll surely do that. > In fact, I was just about to write Yasuo a private mail about some > security issues, because I didn't find an option to report a bug and > make it hidden. Is there such an option, or does the CVE assignment > process allow that? (I'm not familiar with it) Getting CVE is easy. One just have to describe what the vulnerability is and send request mail to MITRE. If personnel in MITRE agrees it as new vulnerability, then they give us new CVE, if not, they give us existing CVE. I don't think this (session_regenerate_id() issue) is PHP's CVE issue as it may be avoided by user land like timing attack issue. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a11349f4c5d520d04f4d4a6a9--