random_compat 1.x not insecure if on patched PHP version?

Question

random_compat 1.x not insecure if on patched PHP version?

andrerom opened this issue 7 years ago · 3 comments

Not that it's so relevant anymore, but from the looks of it seems the version rule on random_compat might be a bit too strict, as the underlying lack of randomness with openssl issue seems to have been fixed in later version of PHP:
php/php-src@0e2447c

Answer 1 · 2018-02-28T15:26:27.000Z

@andrerom If you think there is something to change, please submit a pull request. I'm mostly merging pull requests here, so any issue won't be fixed by "maintainers" of this repo :)

Answer 2 · 2018-03-01T07:48:39.000Z

Posted the relevant question on paragonie/random_compat#96 (comment), based on feedback ew can sew if there is anything we could change here.

Solution could be a 1.5 which requires the relevant PHP versions which fixes this >=1.5 can be whitelisted.

Answer 3 · 2018-03-02T09:22:13.000Z

Summary
Seems that the issue is solved in newer versions of PHP. So in other words this is false positive for anyone on newer PHP version. But nevertheless the standing recommendation from maintainer is to upgrade to random_compat 2.x to not rely on user land provided randomness.

As there does not seems to be a way to annotate that 1.x is only really vulnerable on PHP 5.6.23 and lower, I guess this can be closed as can't fix as long as there is no random_compat 1.x release requiring said PHP versions which fixes this.