From owner-freebsd-questions@FreeBSD.ORG Sun Oct 15 18:04:09 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAD4A16A407 for ; Sun, 15 Oct 2006 18:04:09 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from mail.stovebolt.com (mail.stovebolt.com [66.221.101.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id D662743D66 for ; Sun, 15 Oct 2006 18:04:07 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from [192.168.2.102] (adsl-65-69-141-242.dsl.rcsntx.swbell.net [65.69.141.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.stovebolt.com (Postfix) with ESMTP id B9B8E114307 for ; Sun, 15 Oct 2006 13:05:10 -0500 (CDT) Date: Sun, 15 Oct 2006 13:03:59 -0500 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: <881EC4C4A4CF64A80537FA61@paul-schmehls-powerbook59.local> In-Reply-To: <200610151239.12127.freebsd@dfwlp.com> References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> X-Mailer: Mulberry/4.0.5 (Mac OS X) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========D37C02CF48AAD4BBFD9A==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: PHP new vulnarabilities X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2006 18:04:09 -0000 --==========D37C02CF48AAD4BBFD9A========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On October 15, 2006 12:39:11 PM -0500 Jonathan Horne = wrote: > > ive been scratching my head on this one for a few days too. i have a > box at home, that is running 6.2-PRERELEASE. when i try to install the > lang/php5 port, i get: > > [root@athena /usr/ports/lang/php5]# make install clean > =3D=3D=3D> php5-5.1.6_1 has known vulnerabilities: > =3D> php -- open_basedir Race Condition Vulnerability. > Reference: > 62df.html> =3D> Please update your ports tree and try again. > *** Error code 1 > > Stop in /usr/ports/lang/php5. > > however, my server is running the same port, with no issue whatsoever. > That's because you installed the port on the server *before* the=20 vulnerability was found. > [root@zeus /etc/mail]# pkg_info | grep php5 > php5-5.1.6_1 > (and many extensions too) > > perplexing that one box could have it, while another one (using the same > updated ports tree), refuses it. could be related to the code branch im > following on my workstaion versus my server? > No. It's related to the timing of when a security vulnerability was=20 discovered. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========D37C02CF48AAD4BBFD9A==========--