Skip to content

chore: use random_int() in some places #15017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from May 8, 2018
Merged

chore: use random_int() in some places #15017

merged 1 commit into from May 8, 2018

Conversation

DanielRuf
Copy link
Contributor

@DanielRuf DanielRuf commented May 5, 2018
edited
Loading

Description

This PR is for evaluating the possible increased security for generating random numbers in some modules.

Contribution checklist

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • All automated tests passed successfully (all builds on Travis CI are green)

@magento-engcom-team magento-engcom-team added this to the May 2018 milestone May 5, 2018
@magento-engcom-team magento-engcom-team merged commit f278f99 into magento:2.2-develop May 8, 2018
magento-engcom-team pushed a commit that referenced this pull request May 8, 2018
@VladimirZaets
ENGCOM-1452: chore: use random_int() in some places #15017
d879269
@magento-engcom-team
Copy link
Contributor

Hi @DanielRuf. Thank you for your contribution.
Changes from your Pull Request will be available with the upcoming 2.2.5 release.

@DanielRuf DanielRuf deleted the chore/use-random-int branch May 8, 2018 18:29
This was referenced May 10, 2018
Open
Merged
@barryvdh barryvdh mentioned this pull request Jul 3, 2018
Merged
@barryvdh
Copy link
Contributor

barryvdh commented Jul 9, 2018
edited
Loading

This does not seem to be in 2.2.5; https://github.com/magento/magento2/blob/2.2.5/lib/internal/Magento/Framework/Encryption/Crypt.php#L78

This issue is registered as security vulnerability CVE-2016-6485 so would be great if this can be fixed in the next release. See https://www.cvedetails.com/cve/CVE-2016-6485/

@DanielRuf
Copy link
Contributor Author

This does not seem to be in 2.2.5; /lib/internal/Magento/Framework/Encryption/Crypt.php@2.2.5#L78

This issue is registered as security vulnerability CVE-2016-6485 so would be great if this can be fixed in the next release. See cvedetails.com/cve/CVE-2016-6485

It will be in 2.2.6

@DanielRuf
Copy link
Contributor Author

Also this is an older CVE and 5.5/10 is not so critical.

@DanielRuf
Copy link
Contributor Author

So this is not a 0day in general.

@barryvdh
Copy link
Contributor

barryvdh commented Jul 9, 2018

Yeah it's old, but still open. Don't know if that makes it better ;)

Not a big issue, just nice to have closed. Also for other tools that check if you use projects with known security issues. Nice to have fixed, just expected it in 2.2.5 because of the comment saying it was in 2.2.5

@DanielRuf
Copy link
Contributor Author

Well, the release bot of Magento had the wrong date and so this will be definitely in the next release. So it will be finally fixed in 2.2.6.

Not sure who said that it is fixed yet but this is not correct as you can see.

@DanielRuf
Copy link
Contributor Author

just expected it in 2.2.5 because of the comment saying it was in 2.2.5

Never trust a comment, check the code of the tagged release =)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@VladimirZaets VladimirZaets

Labels
Progress: accept Release Line: 2.2
Projects
None yet
Milestone
May 2018
Development

Successfully merging this pull request may close these issues.
4 participants
@DanielRuf @magento-engcom-team @barryvdh @VladimirZaets