Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:77469
Return-Path: <julienpauli@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64140 invoked from network); 22 Sep 2014 15:28:11 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 Sep 2014 15:28:11 -0000
Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.176 as permitted sender)
X-PHP-List-Original-Sender: julienpauli@gmail.com
X-Host-Fingerprint: 209.85.216.176 mail-qc0-f176.google.com  
Received: from [209.85.216.176] ([209.85.216.176:57803] helo=mail-qc0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 70/00-64052-90040245 for <internals@lists.php.net>; Mon, 22 Sep 2014 11:28:09 -0400
Received: by mail-qc0-f176.google.com with SMTP id o8so225626qcw.7
        for <internals@lists.php.net>; Mon, 22 Sep 2014 08:28:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type:content-transfer-encoding;
        bh=qfIPetxsVo3vDasgiKfZVFs7MFhkIW2NqifQakFeWpc=;
        b=RreH/dSxQWG/cBoVxnH+xAkP/lT13LYW7EDN+TDa1JJiqQRbL9qteKNYDLo/VSQ+gR
         HNnp3qor80icT4a8ZYyCocCpB6h6xCGsgEmbDCFNJx+u2lxUAKADJay5IpPom+v/W8Ag
         XMQg4zUJk/SVMhEIwZT/fPyKhMH989Z9OrD/Oxqr1cV6kbSlIjQWHnLo7iW+94IpEvrp
         LQhbnMeLHKLU5K6RmEwlnqRIDempD4d0mi0qvYJaWxtEh7FWDzVU9Q5Yl4jsx3V6ucwp
         6akhZj+ekEYMzDSAgUJeDBYQ1wvdaMLtvntZXgGdjW0WGv/kihPSn1kJuzOk5tHHVdng
         HNNA==
X-Received: by 10.140.21.177 with SMTP id 46mr9784772qgl.90.1411399686420;
 Mon, 22 Sep 2014 08:28:06 -0700 (PDT)
MIME-Version: 1.0
Sender: julienpauli@gmail.com
Received: by 10.140.48.203 with HTTP; Mon, 22 Sep 2014 08:27:26 -0700 (PDT)
In-Reply-To: <541C5EB5.6090001@fedoraproject.org>
References: <CAH8MpnkkYEAR38ujdjsa+RUzAhzLmp62vTFJio0+XUmJzba6qQ@mail.gmail.com>
 <541C5EB5.6090001@fedoraproject.org>
Date: Mon, 22 Sep 2014 17:27:26 +0200
X-Google-Sender-Auth: vAxLGeEkaty1CQWa58m_xwlsOkE
Message-ID: <CAMUwpuQuHjm0CDuDgUAtB46hfoYLF67pQFUMy43U2=_wLfDPGw@mail.gmail.com>
To: Remi Collet <remi@fedoraproject.org>, Ferenc Kovacs <tyra3l@gmail.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Re: OpenSSL bug in 5.4.33 and 5.5.17
From: jpauli@php.net (Julien Pauli)

On Fri, Sep 19, 2014 at 6:49 PM, Remi Collet <remi@fedoraproject.org> wrote=
:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Le 19/09/2014 18:25, Daniel Lowrey a =C3=A9crit :
>>>> In an effort to fix a very old (seven years old) DoS
>>>> vulnerability involving encrypted streams I created a
>>>> regression where feof() notifications on encrypted sockets are
>>>> broken. This is present in both the most recent 5.4.33 and
>>>> 5.5.17 releases.
>>
>>> Can you please point us to the related commit... (which one cause
>>> the regression, which ones are useful)
>>
>> In 5.4.33 and 5.5.17 an immediate fix is to revert these commits:
>>
>> http://git.php.net/?p=3Dphp-src.git;a=3Dcommitdiff;h=3D6569db88081562f68=
a4f79e52cba83482bdf05fc
>>
>>
>> http://git.php.net/?p=3Dphp-src.git;a=3Dcommitdiff;h=3D372844918a318ad71=
2e16f9ec636682424a65403
>>
>>
>> http://git.php.net/?p=3Dphp-src.git;a=3Dcommitdiff;h=3D32be79dcfa1bc5af8=
682d9f512da68c5b3e2cbf3
>>
>>  The last of these (32be79d) has already been fixed upstream by
>> f86b2193a483f56b0bd056570a0cdb57ebe66e2f but this change did not go
>> into 5.4.33 and 5.5.17. Any reverts should also consider f86b2193.
>>
>>> Does a revert of the first enough to get back to previous
>>> behavior?
>>
>> Yes, reverting the above commits above will fix any issues. I'm
>> awaiting word from someone associated with Horde to verify that the
>> previously linked patch (
>> https://bugs.php.net/patch-display.php?bug=3D41631&patch=3Dbug41631.patc=
h&revision=3D1411139621)
>>
>>
> resolves the issue. As long as that works as expected I can merge that an=
d
>> everything should be resolved going forward.
>>
>
> After a quick check
>
> 6569db8 and 32be79d are in 5.4.33 / 5.5.17 / 5.6.1RC1
> f86b219 and 3728449 are in 5.6.1RC1 only
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlQcXrUACgkQYUppBSnxahgfigCfUYmoYXJJYC0JKmLi/tg+mo1r
> mwwAoNXbDpPsdrVfzFWUy4tuOssqR256
> =3DOUHp
> -----END PGP SIGNATURE-----
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>


Hi,

That's a bad thing we need to fix ASAP.

I think for 5.6.1 we'll revert it , if not, we'll need an RC2, which
is something we usually don't do (but as this could involve security,
we may do it).
The fix can be merged to 5.5.18RC1, next week, to have an RC cycle if
not part of a 5.6.1RC2 (tag is tomorrow)

5.6 and 5.5 actually overlap in the release weeks. 5.6 is planned on
odd weeks whereas 5.5 is on even weeks.

Waiting for Ferenc's advice anyway.

Julien.P