php5-5.1.6 & 5.1.6_1
cswiger at mac.com
Fri Oct 13 11:24:58 PDT 2006
On Oct 13, 2006, at 10:43 AM, Bill Blue wrote:
> It took some massaging, but I was finally able to get all the ports
> re-compiled except one, that in the subject line.
> php5-5.1.6 refuses to build because of Known Vulnerabilities: php
> -- _ecalloc integer overflow vulnerability,
> php5-5.1.6_1 refuses to build also because of Known
> Vulnerabilities: php -- open_basedir race condition vulnerabilities.
> Any suggestions?
1) Install PHP anyway, knowing that it contains known, exploitable
cd /usr/ports/lang/php5 && DISABLE_VULNERABILITIES=yes make install
Be aware that people are actively exploiting PHP-based apps using
this hole right now.
Be prepared to reinstall your machine completely from scratch after
it gets hacked.
2) Live without PHP and anything which uses it.
I recommend choosing option #2, where possible, otherwise restricting
the use of PHP to machines which do not contain confidential or
important data, and are kept in your network's DMZ or similiar "semi-
trusted" subnet, rather than on your internal LAN.
More information about the freebsd-ports