====================================================== Name: CVE-2011-4718 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4718 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20111209 Category: Reference: MISC:https://bugs.php.net/bug.php?id=60491 Reference: MISC:https://wiki.php.net/rfc/strict_sessions Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commit;h=169b78eb79b0e080b67f9798708eb3771c6d0b2f Reference: CONFIRM:http://git.php.net/?p=php-src.git;a=commit;h=25e8fcc88fa20dc9d4c47184471003f436927cde Session fixation vulnerability in the Sessions subsystem in PHP before 5.5.2 allows remote attackers to hijack web sessions by specifying a session ID. Reproducible: Steps to Reproduce:
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=996774
Looks like PHP 5.3 and 5.4 are also affected, looking at the last comment on the RH bug. Not sure when there will be fixes available, might be a while. In the meantime, PHP 5.5.2 is out, so this should be fixable in Cauldron now.
Summary: CVE-2011-4718: php - Strict Sessions => php - Strict Sessions (CVE-2011-4718)
Fedora has issued an advisory for this on August 19: https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114648.html
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4718 => http://lwn.net/Vulnerabilities/564819/
At MDV we're taking the RH stance as of: https://bugzilla.redhat.com/show_bug.cgi?id=996774#c4 https://bugzilla.redhat.com/show_bug.cgi?id=996774#c5 No backport for php 5.3/5.4.
Sounds reasonable. Since this is fixed in Cauldron, I'll mark it as FIXED. Just a note that this is really WONTFIX for Mageia 2 and Mageia 3.
Status: NEW => RESOLVEDCC: (none) => luigiwalserResolution: (none) => FIXED