Date: Fri, 13 Oct 2006 11:22:38 -0700 From: Chuck Swiger <cswiger@mac.com> To: Bill Blue <bblue@netoldies.com> Cc: "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org> Subject: Re: php5-5.1.6 & 5.1.6_1 Message-ID: <992A886C-590E-4EFA-A2CB-B3FE26D7E102@mac.com> In-Reply-To: <op.thdfjfi1zq5pz4@sovaio.netoldies.com> References: <op.thdfjfi1zq5pz4@sovaio.netoldies.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 13, 2006, at 10:43 AM, Bill Blue wrote: > It took some massaging, but I was finally able to get all the ports > re-compiled except one, that in the subject line. > > php5-5.1.6 refuses to build because of Known Vulnerabilities: php > -- _ecalloc integer overflow vulnerability, > > php5-5.1.6_1 refuses to build also because of Known > Vulnerabilities: php -- open_basedir race condition vulnerabilities. > > Any suggestions? 1) Install PHP anyway, knowing that it contains known, exploitable vulnerabilities, via: cd /usr/ports/lang/php5 && DISABLE_VULNERABILITIES=yes make install Be aware that people are actively exploiting PHP-based apps using this hole right now. Be prepared to reinstall your machine completely from scratch after it gets hacked. 2) Live without PHP and anything which uses it. I recommend choosing option #2, where possible, otherwise restricting the use of PHP to machines which do not contain confidential or important data, and are kept in your network's DMZ or similiar "semi- trusted" subnet, rather than on your internal LAN. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?992A886C-590E-4EFA-A2CB-B3FE26D7E102>