Date: Tue, 10 Nov 2009 06:59:16 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: arek@wup-katowice.pl Cc: freebsd-questions@freebsd.org Subject: Re: php4-gd Message-ID: <4AF90F44.1070509@infracaninophile.co.uk> In-Reply-To: <4AF90A6E.3040907@wup-katowice.pl> References: <4AF90A6E.3040907@wup-katowice.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig2728D1844DAD40C2477CC603 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Arek Czereszewski wrote: > Hello, >=20 > I have on some web servers php4-gd port installed > and I am totally confused. > Portaudit says >=20 > Affected package: php4-gd-4.4.9 > Type of problem: gd -- '_gdGetColors' remote buffer overflow > vulnerability. > Reference:=20 > <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html= > >=20 > On this site is info about: 5.2.11 and 5.3.0 >=20 > On Securityfocus is info also about 4.4.9 > but on cve.mitre.org is not. >=20 > Any idea where is the true? > Are my servers with php4-gd are secure or not? This is a bug in the underlying gd library rather than in PHP itself. The= re are fixes to two related ports: if you've updated graphics/gd to the la= test version (gd-2.0.35_2,1), and built the latest port revision of the php5-g= d module (which is php5-gd-5.2.11_2) then those should have been secured.= However, the PHP4 version of the gd module is still at version=20 php4-gd-4.4.9, and doesn't seem to have been patched -- there is no patch= for CVE-2009-3546 in the php4 sources -- so it seems you are still vulner= able when using PHP4. This is to be expected: the PHP project is deprecating = PHP4 and putting all their effort in to developing PHP5 instead. Patches may be forthcoming eventually, but who knows when? Basically, if you're running PHP4 on a public site then you should be mak= ing plans to upgrade to PHP5 ASAP.=20 Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig2728D1844DAD40C2477CC603 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAkr5D00ACgkQ8Mjk52CukIxwPQCfQN+LrM/CVGnq1zsSKR2wqfxp 4w4AoIY0X9T5EofK/LsQy8StBad73QwH =0RIU -----END PGP SIGNATURE----- --------------enig2728D1844DAD40C2477CC603--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AF90F44.1070509>