Bug 996774 (CVE-2011-4718)
Summary: | CVE-2011-4718 php: session fixation vulnerability allows remote hijacking of sessions | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | angelo.alvarez, bleanhar, ccoleman, dmcphers, fedora, jdetiber, jialiu, jkurik, jorton, jrusnack, lmeyer, mmcgrath, rcollet, rpm, webstack-team, william |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | php 5.5.2 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-04-09 08:20:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 998341 | ||
Bug Blocks: | 996775 |
Description
Vincent Danen
2013-08-13 22:43:59 UTC
These look like the relevant commits: http://git.php.net/?p=php-src.git;a=commitdiff;h=25e8fcc88fa20dc9d4c47184471003f436927cde (Strict session) http://git.php.net/?p=php-src.git;a=commitdiff;h=82b0e8be99065b61b622df21bbc7494d2fbca3cd (Strict session. Detect session id collision) http://git.php.net/?p=php-src.git;a=commitdiff;h=b80d73ce154e7f740f9ada446f45dbcdac38a64b (fix crash, enable session_id and fix test) These are not minor changes, however. Created php tracking bugs for this issue: Affects: fedora-all [bug 998341] Upstream suggests that this flaw can be mitigated by making changes to userland code, as detailed in: https://wiki.php.net/rfc/strict_sessions#current_solution This patch has been applied to php-5.5.3 branch (not released yet). The patch is however pretty invasive and mitigation techniques exists as mentioned in comment #4. Therefore this patch will not be backported to the older versions of php and php53 as shipped with Red Hat Enterprise Linux 5 and 6. Statement: This issue affects the version of php and php53 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of php as shipped with Red Hat Enterprise Linux 6 and 7. The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in future updates. This issue may be mitigated with user code changes as noted in https://wiki.php.net/rfc/strict_sessions#current_solution php-5.5.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Any ideas when the fix for this CVE will make it into the RHEL 5.9 repo? Hi, Angelo. As noted in comment #5, the patch is very invasive so there are currently no plans to backport the patch. Additionally, Will this be considered for EL6.5? Given el6 is still in Production 1, I think this should be added. Hi, William. The same problem noted in comment #10 exists for RHEL6. It largely depends on whether or not upstream (who are clearly the experts here) will port this to the still-supported 5.4 or not. |