Date: Thu, 6 Jan 2011 08:39:16 GMT From: Chris Tandiono <christandiono@tbp.berkeley.edu> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/153719: lang/php5 is vulnerable Message-ID: <201101060839.p068dG3i098126@red.freebsd.org> Resent-Message-ID: <201101060840.p068e95k043762@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 153719 >Category: ports >Synopsis: lang/php5 is vulnerable >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Jan 06 08:40:09 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Chris Tandiono >Release: 8.0-RELEASE-p3 >Organization: >Environment: FreeBSD host.local 8.0-RELEASE-p3 FreeBSD 8.0-RELEASE-p3 #0: Wed May 26 05:45:12 UTC 2010 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386 >Description: lang/php5 5.3.4 is vulnerable to a DoS attack involving floating point numbers (when compiled with the default CFLAGS). >How-To-Repeat: Compile php5 from ports without specifying SSE math instructions. The produced 387 instructions will cause PHP to infinite loop on certain floating point numbers. >Fix: Arch Linux has a "PHP 5.3.5" but AFAICT it's not been released yet. One workaround is to enable SSE instructions at compile-time. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201101060839.p068dG3i098126>