Hi Andrey,
On Tue, Mar 18, 2014 at 6:59 AM, Andrey Andreev <[email protected]> wrote:
> On Mon, Mar 17, 2014 at 11:15 PM, Pierre Joye <[email protected]>
> wrote:
> > hi,
> >
> > On Mon, Mar 17, 2014 at 10:09 PM, Yasuo Ohgaki <[email protected]>
> wrote:
> >
> > For one, I appreciate the effort that both of you put on the session
> management.
> >
> > It seems that you are somehow alone to discuss this issue and slightly
> > in circle right now.
> >
> > I would suggest two steps:
> >
> > - sit down together for a chat and get your stuff together. It will by
> > far more efficient than mails
> >
> > - write one or more RFCs to fix what should be fixed, how and why (see
> > next point :)
> >
> > - provide more info about the actual critical security impact that
> > could be fixed by the changes
> > as of now, I failed to see any CVE related to what you are referring to
>
> We'll surely do that.
> In fact, I was just about to write Yasuo a private mail about some
> security issues, because I didn't find an option to report a bug and
> make it hidden. Is there such an option, or does the CVE assignment
> process allow that? (I'm not familiar with it)
Getting CVE is easy. One just have to describe what the vulnerability is and
send request mail to MITRE. If personnel in MITRE agrees it as new
vulnerability,
then they give us new CVE, if not, they give us existing CVE.
I don't think this (session_regenerate_id() issue) is PHP's CVE issue as it
may
be avoided by user land like timing attack issue.
Regards,
--
Yasuo Ohgaki
[email protected]