Date: Sun, 15 Oct 2006 20:51:56 +0200 From: Joerg Pernfuss <elessar@bsdforen.de> To: freebsd-questions@freebsd.org Subject: Re: PHP new vulnarabilities Message-ID: <20061015205156.161cf645@loki.starkstrom.lan> In-Reply-To: <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_d+R1ma1p.2Ni8DubPG3fpbV Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sun, 15 Oct 2006 13:07:15 -0500 Paul Schmehl <pauls@utdallas.edu> wrote: > --On October 15, 2006 7:49:55 PM +0200 Thomas > <freebsdlists@bsdunix.ch>=20 > wrote: > > > > Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. > > You can use: > > make -DDISABLE_VULNERABILITIES install clean > > It will ignore the vuxml entry. > > > No offense, but anybody who *deliberately* installs a vulnerable > version of php in *today's* world, is an absolute fool. Some of us > are *stuck* with the vulnerable version, because we installed before > the vulnerability was found. We can't go back because previous > versions are *also* vulnerable. >=20 > But *deliberately* installing it when you *know* it's vulnerable - > and one of the most attacked applications on the internet? Foolhardy > doesn't quite grasp the insanity of that. Completely true, but in this situation, the update is argueably the better thing to do. With the update you trade an integer overflow against this open_basedir hole that is, as far as I know, harder to exploit and the _1 version is sure to have the suhosin 0.9.5 patch (5.1.6 can be either 0.9.3 or 0.9.5 depending on checkout date - or none at all) - and with suhosin one can disable symlink(). What may of course very well break the php "application", but this is simply "choose your poison". Joerg --=20 | /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a | | \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 | | X HTML in email | .the next sentence is true. | | / \ and news | .the previous sentence was a lie. | --Sig_d+R1ma1p.2Ni8DubPG3fpbV Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFMoNNH31s/bvKrSQRAgL7AJ98IaHHVRneqO085eG55MUQsVDKDQCfToq0 gMEwWI+eP4uIIvlQGm8eKZY= =vAoK -----END PGP SIGNATURE----- --Sig_d+R1ma1p.2Ni8DubPG3fpbV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061015205156.161cf645>