From owner-freebsd-stable@FreeBSD.ORG Sat Dec 26 12:32:49 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4824C10656BF for ; Sat, 26 Dec 2009 12:32:49 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-pw0-f44.google.com (mail-pw0-f44.google.com [209.85.160.44]) by mx1.freebsd.org (Postfix) with ESMTP id 1E05A8FC16 for ; Sat, 26 Dec 2009 12:32:48 +0000 (UTC) Received: by pwi15 with SMTP id 15so6169842pwi.3 for ; Sat, 26 Dec 2009 04:32:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bxloWlvYUWFoo4pkwUunIRD+UQzowfE1eWJHJegZjkc=; b=tFOeiGYAsluaZQrMggUVzBLXeOktcqbuW3UdN4kVnSWxZ89tVGK/1cuQUfMaochrIn ZFO0t0eGUyxaVVI/aWsCyDXDi6jlihrokIp0Fq7j65cYoJ/ConpR9QMxFPQAZ8LNY68R 7UwF/sQEyX2tiJgsEz9ucnwJ29Q7eMIcpgZAg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Y94sq/uA6sYlyKVAOjxrmEvjmjdBXlEkeAooNJbQSgFdmQrssKDaP9iTC4m63xYgXe feGQmcK59L7tn4KP2GmZBP+B9/9N/VzaKD8otKFK7mUvQESbp6r5CPBee0TtzykXnvX9 oE5xIBRdrgJYi8ONuReQMSNfnRULiXnF8oB8Y= MIME-Version: 1.0 Received: by 10.115.66.24 with SMTP id t24mr578027wak.188.1261830764732; Sat, 26 Dec 2009 04:32:44 -0800 (PST) In-Reply-To: <4B35FC4C.7050100@unsane.co.uk> References: <4B344459.4020202@ellicit.org> <4B35FC4C.7050100@unsane.co.uk> Date: Sat, 26 Dec 2009 04:32:44 -0800 Message-ID: From: Xin LI To: Vincent Hoffman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: r00t , freebsd-stable@freebsd.org Subject: Re: php5-5.2.11_1 Vulnerabilities X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Dec 2009 12:32:49 -0000 Hi, Vincent, On Sat, Dec 26, 2009 at 4:06 AM, Vincent Hoffman wrote= : > Xin LI wrote: >> I think ale@ has posted a patch to update it to PHP 5.3.1 which is not >> vulnerable. =C2=A0Is it an option for you? >> >> http://www.alexdupre.com/php53.diff >> > We've found 5.3 is different enough from 5.2 at work that a number of > customers have needed downgrading again after upgrading. (We're a linux > shop but same theory applies) a particular gotcha was the removal of the > mhash module which is used by plenty of shopping cart code, (its now > emulated by the built in hash stuff, but php configure needs the > --with-mhash flag. And because its emulated it cant be built as a > module.) Test throughly if your thinking of moving to php5.3. > =C2=A0 =C2=A0However as yet various stuff thats in the php5.2.11 port isn= t > available or has changed a bit for 5.2.12. for example the Suhosin > hardening patch isnt available for 5.2.12 yet (People taking time off > for the holidays I'd guess ;) I actually have a semi working 5.2.12 patchset which worked for extensions I am using but it need some further work. IIRC, For suhosin, the 5.2.11 patch should just work for 5.2.12 (the mailhead patch have been updated for 5.2.12 anyways). So, neither is blocking problem for us. However, since php5 have so many slave ports it's not so easy to have a through test (at least 1 slave port needs to be changed and the patch there should be updated), which need some time so I don't want to commit my patches without more through testing, also I'm a bit concerned that it's likely to increase ale@'s workload if I commit a 5.2.12. Cheers, --=20 Xin LI http://www.delphij.net