Raphael Geissert wrote: > MOPS-60 > > The default sessions serializer does not correctly handle a special > marker, which allows an attacker to inject arbitrary variables into the > session and possibly exploit vulnerabilities in the unserializer. > > For the vulnerability described by CVE-2010-1128 (predictable entropy > for the Linear Congruential Generator used to generate session ids,) we > do not consider upstream's solution to be sufficient. It is recommended > to uncomment the 'session.entropy_file' and 'session.entropy_length' > settings in the php.ini files. > Further improvements can be achieved by setting 'session.hash_function' > to 1 (one) and incrementing the value of 'session.entropy_length.'
b...@warp:~ $ egrep '(entropy|hash_function)' /etc/php5/apache2/php.ini session.entropy_length = 0 session.entropy_file = ;session.entropy_length = 16 ;session.entropy_file = /dev/urandom session.hash_function = 0 Lees jij dit soort mails eigenlijk wel aandachtig, of wacht je tot dat ik dat doe en jou waarschuw? :P -- Groetjes Harrie -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
