Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:77345 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18394 invoked from network); 19 Sep 2014 16:50:07 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Sep 2014 16:50:07 -0000 Authentication-Results: pb1.pair.com header.from=remi@fedoraproject.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=remi@fedoraproject.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain fedoraproject.org from 217.70.183.197 cause and error) X-PHP-List-Original-Sender: remi@fedoraproject.org X-Host-Fingerprint: 217.70.183.197 relay5-d.mail.gandi.net Linux 2.6 Received: from [217.70.183.197] ([217.70.183.197:47238] helo=relay5-d.mail.gandi.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 16/D0-13213-BBE5C145 for ; Fri, 19 Sep 2014 12:50:04 -0400 Received: from mfilter36-d.gandi.net (mfilter36-d.gandi.net [217.70.178.167]) by relay5-d.mail.gandi.net (Postfix) with ESMTP id C561441C06C for ; Fri, 19 Sep 2014 18:50:00 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter36-d.gandi.net Received: from relay5-d.mail.gandi.net ([217.70.183.197]) by mfilter36-d.gandi.net (mfilter36-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id 4AuvxBcrzEh3 for ; Fri, 19 Sep 2014 18:49:58 +0200 (CEST) X-Originating-IP: 82.241.130.121 Received: from schrodingerscat.famillecollet.com (pom51-2-82-241-130-121.fbx.proxad.net [82.241.130.121]) (Authenticated sender: contact@ll-experts.com) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 391AE41C053 for ; Fri, 19 Sep 2014 18:49:58 +0200 (CEST) Message-ID: <541C5EB5.6090001@fedoraproject.org> Date: Fri, 19 Sep 2014 18:49:57 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: PHP Internals References: In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: OpenSSL bug in 5.4.33 and 5.5.17 From: remi@fedoraproject.org (Remi Collet) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 19/09/2014 18:25, Daniel Lowrey a =C3=A9crit : >>> In an effort to fix a very old (seven years old) DoS >>> vulnerability involving encrypted streams I created a >>> regression where feof() notifications on encrypted sockets are >>> broken. This is present in both the most recent 5.4.33 and >>> 5.5.17 releases. >=20 >> Can you please point us to the related commit... (which one cause >> the regression, which ones are useful) >=20 > In 5.4.33 and 5.5.17 an immediate fix is to revert these commits: >=20 > http://git.php.net/?p=3Dphp-src.git;a=3Dcommitdiff;h=3D6569db88081562f6= 8a4f79e52cba83482bdf05fc > > =20 > http://git.php.net/?p=3Dphp-src.git;a=3Dcommitdiff;h=3D372844918a318ad7= 12e16f9ec636682424a65403 > > =20 > http://git.php.net/?p=3Dphp-src.git;a=3Dcommitdiff;h=3D32be79dcfa1bc5af= 8682d9f512da68c5b3e2cbf3 > > The last of these (32be79d) has already been fixed upstream by=20 > f86b2193a483f56b0bd056570a0cdb57ebe66e2f but this change did not go > into 5.4.33 and 5.5.17. Any reverts should also consider f86b2193. >=20 >> Does a revert of the first enough to get back to previous >> behavior? >=20 > Yes, reverting the above commits above will fix any issues. I'm > awaiting word from someone associated with Horde to verify that the > previously linked patch (=20 > https://bugs.php.net/patch-display.php?bug=3D41631&patch=3Dbug41631.pat= ch&revision=3D1411139621) > >=20 resolves the issue. As long as that works as expected I can merge that an= d > everything should be resolved going forward. >=20 After a quick check 6569db8 and 32be79d are in 5.4.33 / 5.5.17 / 5.6.1RC1 f86b219 and 3728449 are in 5.6.1RC1 only -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlQcXrUACgkQYUppBSnxahgfigCfUYmoYXJJYC0JKmLi/tg+mo1r mwwAoNXbDpPsdrVfzFWUy4tuOssqR256 =3DOUHp -----END PGP SIGNATURE-----