From owner-freebsd-stable@FreeBSD.ORG Sat Dec 26 12:06:39 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 744001065692 for ; Sat, 26 Dec 2009 12:06:39 +0000 (UTC) (envelope-from vince@unsane.co.uk) Received: from unsane.co.uk (unsane-pt.tunnel.tserv5.lon1.ipv6.he.net [IPv6:2001:470:1f08:110::2]) by mx1.freebsd.org (Postfix) with ESMTP id D73C58FC12 for ; Sat, 26 Dec 2009 12:06:38 +0000 (UTC) Received: from vhoffman-macbook.local ([10.0.0.173]) (authenticated bits=0) by unsane.co.uk (8.14.3/8.14.3) with ESMTP id nBQC7YHV054460 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 26 Dec 2009 12:07:34 GMT (envelope-from vince@unsane.co.uk) Message-ID: <4B35FC4C.7050100@unsane.co.uk> Date: Sat, 26 Dec 2009 12:06:36 +0000 From: Vincent Hoffman User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Xin LI References: <4B344459.4020202@ellicit.org> In-Reply-To: X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: r00t , freebsd-stable@freebsd.org Subject: Re: php5-5.2.11_1 Vulnerabilities X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 12:06:39 -0000 Xin LI wrote: > I think ale@ has posted a patch to update it to PHP 5.3.1 which is not > vulnerable. Is it an option for you? > > http://www.alexdupre.com/php53.diff > We've found 5.3 is different enough from 5.2 at work that a number of customers have needed downgrading again after upgrading. (We're a linux shop but same theory applies) a particular gotcha was the removal of the mhash module which is used by plenty of shopping cart code, (its now emulated by the built in hash stuff, but php configure needs the --with-mhash flag. And because its emulated it cant be built as a module.) Test throughly if your thinking of moving to php5.3. However as yet various stuff thats in the php5.2.11 port isnt available or has changed a bit for 5.2.12. for example the Suhosin hardening patch isnt available for 5.2.12 yet (People taking time off for the holidays I'd guess ;) Vince > On Thu, Dec 24, 2009 at 8:49 PM, r00t wrote: > >> I was wondering why this isn't available to upgrade... >> >> >> >> Affected package: php5-5.2.11_1 >> Type of problem: php -- multiple vulnerabilities. >> Reference: > >> Security Enhancements and Fixes in PHP 5.2.12 is what the above reference says. >> >> Standard methods of upgrading have no shown a fix for this...does anyone have information on when this will be fixed? >> >> >> Port: php5-5.2.11_1 >> Path: /usr/ports/lang/php5 >> Info: PHP Scripting Language >> Maint: ale@FreeBSD.org >> B-deps: autoconf-2.62 autoconf-wrapper-20071109 libiconv-1.13.1 >> libxml2-2.7.6_1 m4-1.4.13,1 perl-5.8.9_3 pkg-config-0.23_1 >> R-deps: libiconv-1.13.1 libxml2-2.7.6_1 pkg-config-0.23_1 >> WWW: http://www.php.net/ >> >> _______________________________________________ >> freebsd-stable@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-stable >> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >> >> > > > >