PHP new vulnarabilities
DAve
dave.list at pixelhammer.com
Sun Oct 15 13:32:07 PDT 2006
Paul Schmehl wrote:
> --On October 15, 2006 7:49:55 PM +0200 Thomas <freebsdlists at bsdunix.ch>
> wrote:
>>
>> Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
>> can use:
>> make -DDISABLE_VULNERABILITIES install clean
>> It will ignore the vuxml entry.
>>
> No offense, but anybody who *deliberately* installs a vulnerable version
> of php in *today's* world, is an absolute fool. Some of us are *stuck*
> with the vulnerable version, because we installed before the
> vulnerability was found. We can't go back because previous versions are
> *also* vulnerable.
>
> But *deliberately* installing it when you *know* it's vulnerable - and
> one of the most attacked applications on the internet? Foolhardy
> doesn't quite grasp the insanity of that.
>
That is a bit extreme. I have a full workload, I put in about 60 hours a
week (I work a lot of weekends, I'm working now). I have servers running
all different version of apps. I can't go around upgrading everything at
the drop of a hat. I would be divorced within a month.
If you read the security alerts carefully you will find many require a
shell (We don't offer them to clients), some require a specific app to
be running that you may not need (rm -f /usr/local/bin/vulnerable_app),
and sometimes a simple code audit will tell you if you are vulnerable.
It is also not uncommon that a security alert is issued for a problem
that has not be proven in the wild.
There are plenty of reasons to not follow a security alert, many of them
quite valid. Upgrading mission critical systems without throughly
understanding the implications just because someone screamed SECURITY!,
now that is foolhardy.
DAve
--
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?
Maybe they forgot who made that choice possible.
More information about the freebsd-questions
mailing list