PHP new vulnarabilities
Jonathan Horne
freebsd at dfwlp.com
Sun Oct 15 10:39:15 PDT 2006
On Sunday 15 October 2006 08:12, Joerg Pernfuss wrote:
> On Sun, 15 Oct 2006 14:31:25 +0200
>
> "Khaled J. Hussein" <khaled at hadara.ps> wrote:
> > hi all
> >
> > last time i found this when i run portaudit -Fda
> >
> > Affected package: php5-5.1.6
> > Type of problem: php -- _ecalloc Integer Overflow Vulnerability.
> > Reference:
> > <http://www.FreeBSD.org/ports/portaudit/e329550b-54f7-11db-a5ae-00508d6a6
> >2df.html>
> >
> > how can i fix this
>
> update ypur portstree. you'll get php5-5.1.6_1 which fixes the _ecalloc
> overflow, but not yet the open_basedir race condition.
>
> Joerg
ive been scratching my head on this one for a few days too. i have a box at
home, that is running 6.2-PRERELEASE. when i try to install the lang/php5
port, i get:
[root at athena /usr/ports/lang/php5]# make install clean
===> php5-5.1.6_1 has known vulnerabilities:
=> php -- open_basedir Race Condition Vulnerability.
Reference:
<http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>
=> Please update your ports tree and try again.
*** Error code 1
Stop in /usr/ports/lang/php5.
however, my server is running the same port, with no issue whatsoever.
[root at zeus /etc/mail]# pkg_info | grep php5
php5-5.1.6_1
(and many extensions too)
perplexing that one box could have it, while another one (using the same
updated ports tree), refuses it. could be related to the code branch im
following on my workstaion versus my server?
thanks,
jonathan
More information about the freebsd-questions
mailing list