Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4718 to the following vulnerability: Name: CVE-2011-4718 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4718 Assigned: 20111209 Reference: https://bugs.php.net/bug.php?id=60491 Reference: https://wiki.php.net/rfc/strict_sessions Reference: http://git.php.net/?p=php-src.git;a=commit;h=169b78eb79b0e080b67f9798708eb3771c6d0b2f Reference: http://git.php.net/?p=php-src.git;a=commit;h=25e8fcc88fa20dc9d4c47184471003f436927cde Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID.
These look like the relevant commits: http://git.php.net/?p=php-src.git;a=commitdiff;h=25e8fcc88fa20dc9d4c47184471003f436927cde (Strict session) http://git.php.net/?p=php-src.git;a=commitdiff;h=82b0e8be99065b61b622df21bbc7494d2fbca3cd (Strict session. Detect session id collision) http://git.php.net/?p=php-src.git;a=commitdiff;h=b80d73ce154e7f740f9ada446f45dbcdac38a64b (fix crash, enable session_id and fix test) These are not minor changes, however.
Created php tracking bugs for this issue: Affects: fedora-all [bug 998341]
Upstream suggests that this flaw can be mitigated by making changes to userland code, as detailed in: https://wiki.php.net/rfc/strict_sessions#current_solution
This patch has been applied to php-5.5.3 branch (not released yet). The patch is however pretty invasive and mitigation techniques exists as mentioned in comment #4. Therefore this patch will not be backported to the older versions of php and php53 as shipped with Red Hat Enterprise Linux 5 and 6. Statement: This issue affects the version of php and php53 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of php as shipped with Red Hat Enterprise Linux 6 and 7. The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in future updates. This issue may be mitigated with user code changes as noted in https://wiki.php.net/rfc/strict_sessions#current_solution
php-5.5.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Any ideas when the fix for this CVE will make it into the RHEL 5.9 repo?
Hi, Angelo. As noted in comment #5, the patch is very invasive so there are currently no plans to backport the patch.
Additionally, Will this be considered for EL6.5? Given el6 is still in Production 1, I think this should be added.
Hi, William. The same problem noted in comment #10 exists for RHEL6. It largely depends on whether or not upstream (who are clearly the experts here) will port this to the still-supported 5.4 or not.