PHP new vulnarabilities
Thomas
freebsdlists at bsdunix.ch
Sun Oct 15 10:50:43 PDT 2006
Hi Jonathan
Jonathan Horne schrieb:
> On Sunday 15 October 2006 08:12, Joerg Pernfuss wrote:
>> On Sun, 15 Oct 2006 14:31:25 +0200
>>
>> "Khaled J. Hussein" <khaled at hadara.ps> wrote:
>>> hi all
>>>
>>> last time i found this when i run portaudit -Fda
>>>
>>> Affected package: php5-5.1.6
>>> Type of problem: php -- _ecalloc Integer Overflow Vulnerability.
>>> Reference:
>>> <http://www.FreeBSD.org/ports/portaudit/e329550b-54f7-11db-a5ae-00508d6a6
>>> 2df.html>
>>>
>>> how can i fix this
>> update ypur portstree. you'll get php5-5.1.6_1 which fixes the _ecalloc
>> overflow, but not yet the open_basedir race condition.
>>
>> Joerg
>
> ive been scratching my head on this one for a few days too. i have a box at
> home, that is running 6.2-PRERELEASE. when i try to install the lang/php5
> port, i get:
>
> [root at athena /usr/ports/lang/php5]# make install clean
> ===> php5-5.1.6_1 has known vulnerabilities:
> => php -- open_basedir Race Condition Vulnerability.
> Reference:
> <http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>
> => Please update your ports tree and try again.
> *** Error code 1
>
> Stop in /usr/ports/lang/php5.
>
> however, my server is running the same port, with no issue whatsoever.
>
> [root at zeus /etc/mail]# pkg_info | grep php5
> php5-5.1.6_1
> (and many extensions too)
>
> perplexing that one box could have it, while another one (using the same
> updated ports tree), refuses it. could be related to the code branch im
> following on my workstaion versus my server?
Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
can use:
make -DDISABLE_VULNERABILITIES install clean
It will ignore the vuxml entry.
Cheers,
Thomas
More information about the freebsd-questions
mailing list