From owner-freebsd-questions@FreeBSD.ORG Sun Oct 15 17:50:43 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC13C16A417 for ; Sun, 15 Oct 2006 17:50:43 +0000 (UTC) (envelope-from freebsdlists@bsdunix.ch) Received: from mail01.solnet.ch (mail01.solnet.ch [212.101.4.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6986243D66 for ; Sun, 15 Oct 2006 17:50:41 +0000 (GMT) (envelope-from freebsdlists@bsdunix.ch) X-Virus-Scanned: by amavisd-new at mail01.solnet.ch Received: from mail01.solnet.ch ([127.0.0.1]) by localhost (mail01.solnet.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id bwhy3E4EFZ+X; Sun, 15 Oct 2006 17:50:39 +0000 (GMT) Received: from [192.168.1.102] (unknown [82.220.17.23]) by mail01.solnet.ch (Postfix) with ESMTP id 1B16762519; Sun, 15 Oct 2006 17:50:39 +0000 (GMT) Message-ID: <453274C3.7090409@bsdunix.ch> Date: Sun, 15 Oct 2006 19:49:55 +0200 From: Thomas User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Jonathan Horne References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> In-Reply-To: <200610151239.12127.freebsd@dfwlp.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: PHP new vulnarabilities X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2006 17:50:43 -0000 Hi Jonathan Jonathan Horne schrieb: > On Sunday 15 October 2006 08:12, Joerg Pernfuss wrote: >> On Sun, 15 Oct 2006 14:31:25 +0200 >> >> "Khaled J. Hussein" wrote: >>> hi all >>> >>> last time i found this when i run portaudit -Fda >>> >>> Affected package: php5-5.1.6 >>> Type of problem: php -- _ecalloc Integer Overflow Vulnerability. >>> Reference: >>> >> 2df.html> >>> >>> how can i fix this >> update ypur portstree. you'll get php5-5.1.6_1 which fixes the _ecalloc >> overflow, but not yet the open_basedir race condition. >> >> Joerg > > ive been scratching my head on this one for a few days too. i have a box at > home, that is running 6.2-PRERELEASE. when i try to install the lang/php5 > port, i get: > > [root@athena /usr/ports/lang/php5]# make install clean > ===> php5-5.1.6_1 has known vulnerabilities: > => php -- open_basedir Race Condition Vulnerability. > Reference: > > => Please update your ports tree and try again. > *** Error code 1 > > Stop in /usr/ports/lang/php5. > > however, my server is running the same port, with no issue whatsoever. > > [root@zeus /etc/mail]# pkg_info | grep php5 > php5-5.1.6_1 > (and many extensions too) > > perplexing that one box could have it, while another one (using the same > updated ports tree), refuses it. could be related to the code branch im > following on my workstaion versus my server? Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You can use: make -DDISABLE_VULNERABILITIES install clean It will ignore the vuxml entry. Cheers, Thomas