Red Hat Bugzilla – Bug 996774
CVE-2011-4718 php: session fixation vulnerability allows remote hijacking of sessions
Last modified: 2015-04-10 02:43:30 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-4718 to
the following vulnerability:
Session fixation vulnerability in the Sessions subsystem in PHP before
5.5.2 allows remote attackers to hijack web sessions by specifying a
These look like the relevant commits:
http://git.php.net/?p=php-src.git;a=commitdiff;h=25e8fcc88fa20dc9d4c47184471003f436927cde (Strict session)
http://git.php.net/?p=php-src.git;a=commitdiff;h=82b0e8be99065b61b622df21bbc7494d2fbca3cd (Strict session. Detect session id collision)
http://git.php.net/?p=php-src.git;a=commitdiff;h=b80d73ce154e7f740f9ada446f45dbcdac38a64b (fix crash, enable session_id and fix test)
These are not minor changes, however.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 998341]
Upstream suggests that this flaw can be mitigated by making changes to userland code, as detailed in:
This patch has been applied to php-5.5.3 branch (not released yet). The patch is however pretty invasive and mitigation techniques exists as mentioned in comment #4. Therefore this patch will not be backported to the older versions of php and php53 as shipped with Red Hat Enterprise Linux 5 and 6.
This issue affects the version of php and php53 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of php as shipped with Red Hat Enterprise Linux 6 and 7. The Red Hat Security Response Team has rated this issue as having moderate security impact. This issue is not currently planned to be addressed in future updates. This issue may be mitigated with user code changes as noted in https://wiki.php.net/rfc/strict_sessions#current_solution
php-5.5.3-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Any ideas when the fix for this CVE will make it into the RHEL 5.9 repo?
Hi, Angelo. As noted in comment #5, the patch is very invasive so there are currently no plans to backport the patch.
Additionally, Will this be considered for EL6.5? Given el6 is still in Production 1, I think this should be added.
Hi, William. The same problem noted in comment #10 exists for RHEL6. It largely depends on whether or not upstream (who are clearly the experts here) will port this to the still-supported 5.4 or not.