[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: utf-8 security issue in php - 2 CVEs?
From:       Pierre Joye <pierre.php () gmail ! com>
Date:       2010-11-17 15:50:59
Message-ID: AANLkTimfA08HwCnr0fcY7uQ8-UtV0gxBTrmdYqZUw0Lt () mail ! gmail ! com
[Download RAW message or body]

On Wed, Nov 17, 2010 at 4:45 AM, Huzaifa Sidhpurwala
<huzaifas@redhat.com> wrote:
> On 11/16/2010 08:40 PM, Pierre Joye wrote:
>> hi,
>>
>> New fixes or improved fixes, even for known flaw, get new CVE #. I was
>> not sure about that a couple of months ago, but that's the answer I
>> got when I asked about the policy for such cases. I think it makes
>> even more sense in this particular flaw.
>>
> Right,
> However i am wondering why there is no mention of CVE-2009-5016 in the
> php NEWS file from the SVN.
> It only mentions:
>
> "
> - Fixed bug #49687 (utf8_decode vulnerabilities and deficiencies in the
> number
>  of reported malformed sequences). (CVE-2010-3870) (Gustavo)
> "

I only updated the NEWS for the upcoming release as the fix applies to
this specific CVE.

However I can add a ref to CVE-2009-5016 to the related NEWS entry
(for the record, as it was released already), if you have found it :)

-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

[prev in list] [next in list] [prev in thread] [next in thread]