From owner-freebsd-questions@FreeBSD.ORG Sun Oct 15 18:52:37 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F0C316A403 for ; Sun, 15 Oct 2006 18:52:37 +0000 (UTC) (envelope-from elessar@bsdforen.de) Received: from mail.bsdforen.de (bsdforen.de [212.204.60.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AE4743D49 for ; Sun, 15 Oct 2006 18:52:36 +0000 (GMT) (envelope-from elessar@bsdforen.de) Received: from loki.starkstrom.lan (p549CF82C.dip.t-dialin.net [84.156.248.44]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bsdforen.de (Postfix) with ESMTP id 222A8424105 for ; Sun, 15 Oct 2006 20:52:34 +0200 (CEST) Date: Sun, 15 Oct 2006 20:51:56 +0200 From: Joerg Pernfuss To: freebsd-questions@freebsd.org Message-ID: <20061015205156.161cf645@loki.starkstrom.lan> In-Reply-To: <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> X-Mailer: Sylpheed-Claws 2.2.3 (GTK+ 2.8.20; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_d+R1ma1p.2Ni8DubPG3fpbV; protocol="application/pgp-signature"; micalg=PGP-SHA1 Subject: Re: PHP new vulnarabilities X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2006 18:52:37 -0000 --Sig_d+R1ma1p.2Ni8DubPG3fpbV Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sun, 15 Oct 2006 13:07:15 -0500 Paul Schmehl wrote: > --On October 15, 2006 7:49:55 PM +0200 Thomas > =20 > wrote: > > > > Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. > > You can use: > > make -DDISABLE_VULNERABILITIES install clean > > It will ignore the vuxml entry. > > > No offense, but anybody who *deliberately* installs a vulnerable > version of php in *today's* world, is an absolute fool. Some of us > are *stuck* with the vulnerable version, because we installed before > the vulnerability was found. We can't go back because previous > versions are *also* vulnerable. >=20 > But *deliberately* installing it when you *know* it's vulnerable - > and one of the most attacked applications on the internet? Foolhardy > doesn't quite grasp the insanity of that. Completely true, but in this situation, the update is argueably the better thing to do. With the update you trade an integer overflow against this open_basedir hole that is, as far as I know, harder to exploit and the _1 version is sure to have the suhosin 0.9.5 patch (5.1.6 can be either 0.9.3 or 0.9.5 depending on checkout date - or none at all) - and with suhosin one can disable symlink(). What may of course very well break the php "application", but this is simply "choose your poison". Joerg --=20 | /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a | | \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 | | X HTML in email | .the next sentence is true. | | / \ and news | .the previous sentence was a lie. | --Sig_d+R1ma1p.2Ni8DubPG3fpbV Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (FreeBSD) iD8DBQFFMoNNH31s/bvKrSQRAgL7AJ98IaHHVRneqO085eG55MUQsVDKDQCfToq0 gMEwWI+eP4uIIvlQGm8eKZY= =vAoK -----END PGP SIGNATURE----- --Sig_d+R1ma1p.2Ni8DubPG3fpbV--