Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:77344 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 15724 invoked from network); 19 Sep 2014 16:25:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2014 16:25:24 -0000 Authentication-Results: pb1.pair.com header.from=rdlowrey@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=rdlowrey@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.178 as permitted sender) X-PHP-List-Original-Sender: rdlowrey@gmail.com X-Host-Fingerprint: 209.85.223.178 mail-ie0-f178.google.com Received: from [209.85.223.178] ([209.85.223.178:65313] helo=mail-ie0-f178.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B0/60-13213-2F85C145 for ; Fri, 19 Sep 2014 12:25:23 -0400 Received: by mail-ie0-f178.google.com with SMTP id at20so3864921iec.37 for ; Fri, 19 Sep 2014 09:25:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=DKtgSLvdl/mut59lDCitEXsb5LHeygxLtEDrY+0DDGU=; b=WsBbnS5RM0zdLf5NcoJXCs3wSaZrpw8ZO3yEk3Qbv78l9bf12ndwRcogmvMxkneQwb cBo+HLTkYfYEhAiK3n1CDZkfJzmCdq2v14hh9dafYEVCgFxbRsTuzc2VG1np1iZpzZua A01d8SVjr28IdMDJWID7THpmumTpwC6F1Kv48LIyo238M0fwDZRBUP/vWjsxGohe9KkM IpZr+L9Ac9ln/6rYJU5q9RqTF42u9i8JfCza1nVPUCErvCkBvDG5ygwMzv9ODwbfu7Ex d0ay0tsBSlaVynhcq4Q9o+tPoVZKyS6w4y0zdeDaoo+kzJSEXuEl+ugfVcwf7rZh2/kv 3+wg== MIME-Version: 1.0 X-Received: by 10.50.142.104 with SMTP id rv8mr8469289igb.21.1411143919938; Fri, 19 Sep 2014 09:25:19 -0700 (PDT) Sender: rdlowrey@gmail.com Received: by 10.50.197.164 with HTTP; Fri, 19 Sep 2014 09:25:19 -0700 (PDT) Date: Fri, 19 Sep 2014 12:25:19 -0400 X-Google-Sender-Auth: ETgcs-X4-s6fNck00iRHY4DtsWA Message-ID: To: "internals@lists.php.net" , remi@fedoraproject.org Content-Type: multipart/alternative; boundary=001a11c3db00133c2205036d8cb8 Subject: Re: OpenSSL bug in 5.4.33 and 5.5.17 From: rdlowrey@php.net (Daniel Lowrey) --001a11c3db00133c2205036d8cb8 Content-Type: text/plain; charset=UTF-8 >> In an effort to fix a very old (seven years old) DoS vulnerability >> involving encrypted streams I created a regression where feof() >> notifications on encrypted sockets are broken. This is present in >> both the most recent 5.4.33 and 5.5.17 releases. > Can you please point us to the related commit... > (which one cause the regression, which ones are useful) In 5.4.33 and 5.5.17 an immediate fix is to revert these commits: http://git.php.net/?p=php-src.git;a=commitdiff;h=6569db88081562f68a4f79e52cba83482bdf05fc http://git.php.net/?p=php-src.git;a=commitdiff;h=372844918a318ad712e16f9ec636682424a65403 http://git.php.net/?p=php-src.git;a=commitdiff;h=32be79dcfa1bc5af8682d9f512da68c5b3e2cbf3 The last of these (32be79d) has already been fixed upstream by f86b2193a483f56b0bd056570a0cdb57ebe66e2f but this change did not go into 5.4.33 and 5.5.17. Any reverts should also consider f86b2193. > Does a revert of the first enough to get back to previous behavior? Yes, reverting the above commits above will fix any issues. I'm awaiting word from someone associated with Horde to verify that the previously linked patch ( https://bugs.php.net/patch-display.php?bug=41631&patch=bug41631.patch&revision=1411139621) resolves the issue. As long as that works as expected I can merge that and everything should be resolved going forward. --001a11c3db00133c2205036d8cb8--