openssl_random_pseudo_bytes() security bug and PHP packages

Asked by vinc-q on 2016-01-14

Are Ubuntu official PHP packages patched against openssl_random_pseudo_bytes() security bug (https://bugs.php.net/bug.php?id=70014)?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu php5 Edit question
Assignee:
No assignee Edit question
Last query:
2016-01-14
Last reply:
2016-01-14

I suggest you report a bug. Mark it as a security bug and add your link in the bug.

vinc-q (vinc-q) said : #2

I don't know if Ubuntu official PHP packages are patched against openssl_random_pseudo_bytes() security bug, I'm just asking :)

Manfred Hampl (m-hampl) said : #3

When browsing the Ubuntu php5 change logs I cannot find anything.
And also the bug listing does not show anything that seems to cover that.
This seems not to have a CVE number, so it is harder to track.

http://php.net/ChangeLog-5.php shows that the vulnerability is corrected in the versions
5.6.12, 5.5.28, 5.4.44, so it might well be still affecting the Ubuntu versions (5.6.11, 5.6.4, 5.5.9 and eventually 5.3.10).

I support actionparsnip's advice to create a bug report.

vinc-q (vinc-q) said : #4

Done!

Can you help with this problem?

Provide an answer of your own, or ask vinc-q for more information if necessary.

To post a message you must log in.