Date: Sun, 15 Oct 2006 14:50:34 -0400 From: Bill Moran <wmoran@collaborativefusion.com> To: Paul Schmehl <pauls@utdallas.edu> Cc: freebsd-questions@freebsd.org Subject: Re: PHP new vulnarabilities Message-ID: <20061015145034.0f039b05.wmoran@collaborativefusion.com> In-Reply-To: <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local> References: <45322A1D.8070204@hadara.ps> <20061015151215.15a4062e@loki.starkstrom.lan> <200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local>
next in thread | previous in thread | raw e-mail | index | archive | help
Paul Schmehl <pauls@utdallas.edu> wrote: > --On October 15, 2006 7:49:55 PM +0200 Thomas <freebsdlists@bsdunix.ch> > wrote: > > > > Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You > > can use: > > make -DDISABLE_VULNERABILITIES install clean > > It will ignore the vuxml entry. > > > No offense, but anybody who *deliberately* installs a vulnerable version > of php in *today's* world, is an absolute fool. Some of us are *stuck* > with the vulnerable version, because we installed before the vulnerability > was found. We can't go back because previous versions are *also* > vulnerable. Have you looked at the vulnerability? There are only certian coding instances that would actually open this up to any attack vector. Since the bug is in unserialize, it's pretty easy audit a program to ensure that it isn't vulnerable. "absolute fool" seems a little extreme. -- Bill Moran Six men came to kill me one time, and the best of them carried this. It's a Callahan fullbore autolock, customized trigger and double cartridge thourough-gage. It's my very favorite gun. Jayne Cobb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061015145034.0f039b05.wmoran>