Date: Thu, 3 Mar 2011 12:25:38 -0800 From: Xin LI <delphij@gmail.com> To: Andrea Venturoli <ml@netfence.it> Cc: admin@lissyara.su, freebsd-ports@freebsd.org Subject: Re: PHP52 vulnerability Message-ID: <AANLkTikpFv2vYRQtJCcqEEh0M268F8R8mN%2B_g=aL3S3B@mail.gmail.com> In-Reply-To: <4D6FF565.9070608@netfence.it> References: <4D6FF565.9070608@netfence.it>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, On Thu, Mar 3, 2011 at 12:09 PM, Andrea Venturoli <ml@netfence.it> wrote: > Hello. > > As you probably know, it looks like php52 is vulnerable: > > Affected package: php52-5.2.17 > Type of problem: php -- NULL byte poisoning. > Reference: > http://portaudit.FreeBSD.org/3761df02-0f9c-11e0-becc-0022156e8794.html > > Is there any news on the horizon? I think PHP developers haven't get that patched for 5.2.x (yet), as the branch is considered to be obsolete. We may have to patch the port ourselves. Note that FreeBSD PHP port comes with Suhosin by default, which _could_ have mitigated the attack (disclaimer: I'm not very confident that this solves all problems, though, as it requires a more through code review). Cheers, -- Xin LI <delphij@delphij.net> http://www.delphij.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikpFv2vYRQtJCcqEEh0M268F8R8mN%2B_g=aL3S3B>