php5-5.1.6 & 5.1.6_1

Chuck Swiger cswiger at
Fri Oct 13 11:24:58 PDT 2006

On Oct 13, 2006, at 10:43 AM, Bill Blue wrote:
> It took some massaging, but I was finally able to get all the ports  
> re-compiled except one, that in the subject line.
> php5-5.1.6 refuses to build because of Known Vulnerabilities: php  
> -- _ecalloc integer overflow vulnerability,
> php5-5.1.6_1 refuses to build also because of Known  
> Vulnerabilities: php -- open_basedir race condition vulnerabilities.
> Any suggestions?

1) Install PHP anyway, knowing that it contains known, exploitable  
vulnerabilities, via:

   cd /usr/ports/lang/php5 && DISABLE_VULNERABILITIES=yes make install

Be aware that people are actively exploiting PHP-based apps using  
this hole right now.
Be prepared to reinstall your machine completely from scratch after  
it gets hacked.

2) Live without PHP and anything which uses it.

I recommend choosing option #2, where possible, otherwise restricting  
the use of PHP to machines which do not contain confidential or  
important data, and are kept in your network's DMZ or similiar "semi- 
trusted" subnet, rather than on your internal LAN.


More information about the freebsd-ports mailing list