From owner-freebsd-questions@FreeBSD.ORG  Sun Oct 15 17:39:15 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 53F4A16A40F
	for <freebsd-questions@freebsd.org>;
	Sun, 15 Oct 2006 17:39:15 +0000 (UTC)
	(envelope-from freebsd@dfwlp.com)
Received: from zeus.dfwlp.com (zeus.dfwlp.com [208.11.134.127])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D22D943D5C
	for <freebsd-questions@freebsd.org>;
	Sun, 15 Oct 2006 17:39:14 +0000 (GMT)
	(envelope-from freebsd@dfwlp.com)
Received: from athena.dfwlp.com (athena.dfwlp.com [192.168.125.83])
	(authenticated bits=0)
	by zeus.dfwlp.com (8.13.6/8.13.6) with ESMTP id k9FHdCjV006215
	for <freebsd-questions@freebsd.org>;
	Sun, 15 Oct 2006 12:39:12 -0500 (CDT)
	(envelope-from freebsd@dfwlp.com)
From: Jonathan Horne <freebsd@dfwlp.com>
To: freebsd-questions@freebsd.org
Date: Sun, 15 Oct 2006 12:39:11 -0500
User-Agent: KMail/1.9.4
References: <45322A1D.8070204@hadara.ps>
	<20061015151215.15a4062e@loki.starkstrom.lan>
In-Reply-To: <20061015151215.15a4062e@loki.starkstrom.lan>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200610151239.12127.freebsd@dfwlp.com>
X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED,AWL 
	autolearn=ham version=3.1.6
X-Spam-Checker-Version: SpamAssassin 3.1.6 (2006-10-03) on zeus.dfwlp.com
Subject: Re: PHP new vulnarabilities
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Oct 2006 17:39:15 -0000

On Sunday 15 October 2006 08:12, Joerg Pernfuss wrote:
> On Sun, 15 Oct 2006 14:31:25 +0200
>
> "Khaled J. Hussein" <khaled@hadara.ps> wrote:
> > hi all
> >
> > last time i found this when i run portaudit -Fda
> >
> > Affected package: php5-5.1.6
> > Type of problem: php -- _ecalloc Integer Overflow Vulnerability.
> > Reference:
> > <http://www.FreeBSD.org/ports/portaudit/e329550b-54f7-11db-a5ae-00508d6a6
> >2df.html>
> >
> > how can i fix this
>
> update ypur portstree. you'll get php5-5.1.6_1 which fixes the _ecalloc
> overflow, but not yet the open_basedir race condition.
>
> 	Joerg

ive been scratching my head on this one for a few days too.  i have a box at 
home, that is running 6.2-PRERELEASE.  when i try to install the lang/php5 
port, i get:

[root@athena /usr/ports/lang/php5]# make install clean    
===>  php5-5.1.6_1 has known vulnerabilities:
=> php -- open_basedir Race Condition Vulnerability.
   Reference: 
<http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/lang/php5.

however, my server is running the same port, with no issue whatsoever.

[root@zeus /etc/mail]# pkg_info | grep php5
php5-5.1.6_1
(and many extensions too)

perplexing that one box could have it, while another one (using the same 
updated ports tree), refuses it.  could be related to the code branch im 
following on my workstaion versus my server?

thanks,
jonathan