Control: tags -1 moreinfo On Wed, Feb 3, 2016 at 21:40:22 -0400, David Prévot wrote:
> Package: release.debian.org > Severity: normal > Tags: jessie > User: [email protected] > Usertags: pu > > Hi, > > As agreed with the security team, we’d like to fix CVE-2016-1902 via > p-u. The patch is “a bit” bigger than usual (homemade implementation > replaced by a proper embedded one), sorry about that. Thanks in advance > for considering it. > > symfony (2.3.21+dfsg-4+deb8u3) jessie; urgency=medium > > [ Daniel Beyer ] > * Backport a security fix from 2.3.37 > - SecureRandom's fallback not secure when OpenSSL fails [CVE-2016-1902] > > [ David Prévot ] > * Add copyright entry for embeded paragonie/random_compat > > Please note that the only component touch by this fix > (php-symfony-security) has no (external) reverse dependencies in Jessie. > Why have a fallback at all? When would openssl be expected to fail? Cheers, Julien
