From owner-freebsd-ports@FreeBSD.ORG  Thu Mar  3 20:52:26 2011
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 73944106566C
	for <freebsd-ports@freebsd.org>; Thu,  3 Mar 2011 20:52:26 +0000 (UTC)
	(envelope-from delphij@gmail.com)
Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com
	[209.85.210.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 3B2268FC16
	for <freebsd-ports@freebsd.org>; Thu,  3 Mar 2011 20:52:25 +0000 (UTC)
Received: by iyj12 with SMTP id 12so1524144iyj.13
	for <freebsd-ports@freebsd.org>; Thu, 03 Mar 2011 12:52:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:cc:content-type;
	bh=DpDIpnp+NsH4ws0qyOLrDozWxKejFO0b3wSqjL0ZLg0=;
	b=R7mXhgeZUHaCcvFJmwsMUc4pP8wjnZoaMiUavGQHtzTlqEuzo+HptP7gvQGHbFEUV8
	6JRZPptm9ytlmFVqNlrLZWiVCOce9uuYAI40mr8Wp02xNfBnsiIS5iveXOReTaLPG3qc
	wItIXMKn7OEdcf3bsan8k5cLisqs+hH+Wm+V0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	b=VVxJ8b7uJN4K3oIE7fBqzxq/JBNynm2U8N9sCsFlK0J1YGqLBwBiUDNB3Zrrjw/K8U
	V8+0lEU5iJpFjR/EsAg0SZfMCFAfXnK0otXz67+YUNFt+94HDB91ALHoZNDUiTAhdEsl
	IeXVwuLzrGZQZnBg4I+GAVb3wweTfOCmi2bAc=
MIME-Version: 1.0
Received: by 10.231.206.19 with SMTP id fs19mr1241385ibb.123.1299183938617;
	Thu, 03 Mar 2011 12:25:38 -0800 (PST)
Received: by 10.231.152.148 with HTTP; Thu, 3 Mar 2011 12:25:38 -0800 (PST)
In-Reply-To: <4D6FF565.9070608@netfence.it>
References: <4D6FF565.9070608@netfence.it>
Date: Thu, 3 Mar 2011 12:25:38 -0800
Message-ID: <AANLkTikpFv2vYRQtJCcqEEh0M268F8R8mN+_g=aL3S3B@mail.gmail.com>
From: Xin LI <delphij@gmail.com>
To: Andrea Venturoli <ml@netfence.it>
Content-Type: text/plain; charset=UTF-8
Cc: admin@lissyara.su, freebsd-ports@freebsd.org
Subject: Re: PHP52 vulnerability
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Mar 2011 20:52:26 -0000

Hi,

On Thu, Mar 3, 2011 at 12:09 PM, Andrea Venturoli <ml@netfence.it> wrote:
> Hello.
>
> As you probably know, it looks like php52 is vulnerable:
>
> Affected package: php52-5.2.17
> Type of problem: php -- NULL byte poisoning.
> Reference:
> http://portaudit.FreeBSD.org/3761df02-0f9c-11e0-becc-0022156e8794.html
>
> Is there any news on the horizon?

I think PHP developers haven't get that patched for 5.2.x (yet), as
the branch is considered to be obsolete.  We may have to patch the
port ourselves.

Note that FreeBSD PHP port comes with Suhosin by default, which
_could_ have mitigated the attack (disclaimer: I'm not very confident
that this solves all problems, though, as it requires a more through
code review).

Cheers,
-- 
Xin LI <delphij@delphij.net> http://www.delphij.net