CVE-2009-3291

Publication date 22 September 2009

Last updated 24 July 2024

The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates.

Read the notes from the security team

Status

Show unmaintained releases

No maintained releases are affected by this CVE.

Package	Ubuntu Release	Status
php5	9.10 karmic	Fixed 5.2.10.dfsg.1-2ubuntu6.3
	9.04 jaunty	Fixed 5.2.6.dfsg.1-3ubuntu4.4
	8.10 intrepid	Fixed 5.2.6-2ubuntu4.5
	8.04 LTS hardy	Fixed 5.2.4-2ubuntu5.9
	6.06 LTS dapper	Fixed 5.1.2-1ubuntu3.17

Notes

mdeslaur

NUL (‘\0’) character embedded in X509 certificate’s CommonName or subjectAltName given RH’s analysis of this issue, reprioritizing as “low”

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: http://svn.php.net/viewvc?view=revision&revision=288329

References

Related Ubuntu Security Notices (USN)