From owner-freebsd-questions@FreeBSD.ORG  Sun Oct 15 18:50:37 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 378DF16A403
	for <freebsd-questions@freebsd.org>;
	Sun, 15 Oct 2006 18:50:37 +0000 (UTC)
	(envelope-from wmoran@collaborativefusion.com)
Received: from mx00.pub.collaborativefusion.com
	(mx00.pub.collaborativefusion.com [206.210.89.199])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A545843D45
	for <freebsd-questions@freebsd.org>;
	Sun, 15 Oct 2006 18:50:36 +0000 (GMT)
	(envelope-from wmoran@collaborativefusion.com)
Received: from localhost (c-71-60-174-60.hsd1.pa.comcast.net [71.60.174.60])
	(AUTH: LOGIN wmoran, TLS: TLSv1/SSLv3,256bits,AES256-SHA)
	by wingspan with esmtp; Sun, 15 Oct 2006 14:50:35 -0400
	id 00056405.453282FB.00017E1F
Date: Sun, 15 Oct 2006 14:50:34 -0400
From: Bill Moran <wmoran@collaborativefusion.com>
To: Paul Schmehl <pauls@utdallas.edu>
Message-Id: <20061015145034.0f039b05.wmoran@collaborativefusion.com>
In-Reply-To: <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local>
References: <45322A1D.8070204@hadara.ps>
	<20061015151215.15a4062e@loki.starkstrom.lan>
	<200610151239.12127.freebsd@dfwlp.com>
	<453274C3.7090409@bsdunix.ch>
	<0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local>
Organization: Collaborative Fusion
X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.8.20; i386-portbld-freebsd6.1)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: PHP new vulnarabilities
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Oct 2006 18:50:37 -0000

Paul Schmehl <pauls@utdallas.edu> wrote:

> --On October 15, 2006 7:49:55 PM +0200 Thomas <freebsdlists@bsdunix.ch> 
> wrote:
> >
> > Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
> > can use:
> > make -DDISABLE_VULNERABILITIES install clean
> > It will ignore the vuxml entry.
> >
> No offense, but anybody who *deliberately* installs a vulnerable version 
> of php in *today's* world, is an absolute fool.  Some of us are *stuck* 
> with the vulnerable version, because we installed before the vulnerability 
> was found.  We can't go back because previous versions are *also* 
> vulnerable.

Have you looked at the vulnerability?  There are only certian coding
instances that would actually open this up to any attack vector.  Since
the bug is in unserialize, it's pretty easy audit a program to ensure
that it isn't vulnerable.

"absolute fool" seems a little extreme.

-- 
Bill Moran

Six men came to kill me one time, and the best of them carried this. It's
a Callahan fullbore autolock, customized trigger and double cartridge
thourough-gage.  It's my very favorite gun.

	Jayne Cobb