From owner-freebsd-questions@FreeBSD.ORG Sun Oct 15 20:32:07 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A62A516A407 for ; Sun, 15 Oct 2006 20:32:07 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from ecluster6.tls.net (ecluster6.tls.net [65.196.224.136]) by mx1.FreeBSD.org (Postfix) with SMTP id 3EDF243D49 for ; Sun, 15 Oct 2006 20:32:07 +0000 (GMT) (envelope-from dave.list@pixelhammer.com) Received: (qmail 23467 invoked by uid 89); 15 Oct 2006 20:31:59 -0000 Received: from 64-184-9-220.bb.hrtc.net (HELO ?192.168.0.103?) (ldg%tls.net@64.184.9.220) by auth-ecluster6.tls.net with SMTP; 15 Oct 2006 20:31:59 -0000 Message-ID: <45329AB4.1000508@pixelhammer.com> Date: Sun, 15 Oct 2006 16:31:48 -0400 From: DAve User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> In-Reply-To: <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: PHP new vulnarabilities X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2006 20:32:07 -0000 Paul Schmehl wrote: > --On October 15, 2006 7:49:55 PM +0200 Thomas > wrote: >> >> Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You >> can use: >> make -DDISABLE_VULNERABILITIES install clean >> It will ignore the vuxml entry. >> > No offense, but anybody who *deliberately* installs a vulnerable version > of php in *today's* world, is an absolute fool. Some of us are *stuck* > with the vulnerable version, because we installed before the > vulnerability was found. We can't go back because previous versions are > *also* vulnerable. > > But *deliberately* installing it when you *know* it's vulnerable - and > one of the most attacked applications on the internet? Foolhardy > doesn't quite grasp the insanity of that. > That is a bit extreme. I have a full workload, I put in about 60 hours a week (I work a lot of weekends, I'm working now). I have servers running all different version of apps. I can't go around upgrading everything at the drop of a hat. I would be divorced within a month. If you read the security alerts carefully you will find many require a shell (We don't offer them to clients), some require a specific app to be running that you may not need (rm -f /usr/local/bin/vulnerable_app), and sometimes a simple code audit will tell you if you are vulnerable. It is also not uncommon that a security alert is issued for a problem that has not be proven in the wild. There are plenty of reasons to not follow a security alert, many of them quite valid. Upgrading mission critical systems without throughly understanding the implications just because someone screamed SECURITY!, now that is foolhardy. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.