PHP :: Bug #26415 :: OpenSSL 0.9.7b is vulnerable

Bug #26415

OpenSSL 0.9.7b is vulnerable

Submitted:

2003-11-25 20:18 UTC

Modified:

2004-03-16 18:43 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

dietrich dot ayala at foundstone dot com

Assigned:

edink (profile)

Status:

Closed

Package:

OpenSSL related

PHP Version:

4.3.4

OS:

win32

Private report:

CVE-ID:

None

[2003-11-25 20:18 UTC] dietrich dot ayala at foundstone dot com

Description:
------------
the version of openssl shipped w/ php is has known vulnerabilities. php should be updated to the latest version of openssl (0.9.7c).

http://www.openssl.org/news/secadv_20030930.txt

thanks,

dietrich

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-12-03 13:43 UTC] dietrich dot ayala at foundstone dot com

Hi Edin,

Is there any ETA on this? I've tried using the new DLLs but they don't work. Wez said the function signatures may have changed.

Thanks!

Dietrich

[2004-01-03 18:26 UTC] edink@php.net

Finally, I managed to find some time to upgrade openssl. The version bundled with the snaps and releases from now on is OpenSSL-0.9.7c.

[2004-03-15 16:17 UTC] dietrich dot ayala at foundstone dot com

the latest 4.3.5 snaps are still using version 0.9.7b.

these vulns are widely known and have been in the field for quite a while. it'd be great to get this updated.

thanks so much for your effort edin!

[2004-03-15 18:14 UTC] sniper@php.net

Did you really update ALL dlls from the snapshot package?

[2004-03-16 18:43 UTC] edink@php.net

The version packed with latest snaps is 0.9.7c.