Re: CVE Request: Insufficient TLS Protection in Composer (PHP)

[Kevin McArthur <kevin () stormtide ca>]

Thanks Padraic for applying for a CVE on this one. As it doesn't appear
its going to get patched, a CVE is probably the right way to go.

Not sure if its just getting lost in the shuffle, but, this
remote-code-execution vulnerability in Composer is widely deployed and
trivially exploited.

I can give it a name/branding if it'll help speed up the CVE issuance.

-- 

Kevin McArthur


On 2015-05-11 12:03 PM, Pádraic Brady wrote:
> Hi all,
>
> A brief update to clarify this is a CVE request in the subject line
> and copy the guys at MITRE. Also to clarify that this vulnerability
> occurs from relying the PHP openssl extensions default configuration.
> That default configuration disables peer verification on PHP versions
> less than PHP 5.6 (when it was significantly reworked to be more
> secure by default).
>
> On 25 April 2015 at 19:49, Pádraic Brady <padraic.brady () gmail com> wrote:
> > My I request a CVE ID for the following, which is a publicly disclosed
> > unpatched vulnerability on Composer's issue tracker since 2012.
> > Composer is an open source package manager for PHP. The specific issue
> > pertaining to this request is a failure to perform TLS peer
> > verification on remote requests when making any API request or
> > retrieving any file, i.e. there is a singular client class.
> >
> > Ref: https://github.com/composer/composer/issues/1074
> >
> > Kind regards,
> > Paddy
> >
> > --
> > Pádraic Brady
> Kind regards,
> Paddy
>
> --
> Pádraic Brady
>
> http://blog.astrumfutura.com