Re: PHP4 v. php4-4.4.7_2 refuse to upgrade …

Kevin Kinsey kdk at daleco.biz
Thu Oct 4 13:45:10 PDT 2007 

Beech Rintoul wrote:
> On Wednesday 03 October 2007, bsd said:
>> Hello,
>>
>>
>> I am using
>>
>> FreeBSD xxx.fr 5.5-RELEASE-p9 FreeBSD 5.5-RELEASE-p9 #1: Thu Dec 14
>> 11:39:18 CET 2006     root at newmail.rmm.fr:/usr/obj/usr/src/sys/
>> GENERIC  i386
>>
>>
>> When trying to upgrade from php php4-4.4.7_1 to php4-4.4.7_2 there
>> is this strange error…
>>
>>
>> Updating the pkgdb <format:bdb_btree> in /var/db/pkg ... - 209
>> packages found (-3 +1) (...). done]
>> --->  Upgrading 'php4-4.4.7_1' to 'php4-4.4.7_2' (lang/php4)
>> --->  Building '/usr/ports/lang/php4'
>> ===>  Cleaning for autoconf-2.61_2
>> ===>  Cleaning for php4-4.4.7_2
>> ===>  php4-4.4.7_2 has known vulnerabilities:
>> => php -- multiple vulnerabilities.
>>     Reference: <http://www.FreeBSD.org/ports/portaudit/
>> 71d903fc-602d-11dc-898c-001921ab2fa4.html>
>> => Please update your ports tree and try again.
>> *** Error code 1
>>
>> Stop in /usr/ports/lang/php4.
>> *** Error code 1
>>
>> Stop in /usr/ports/lang/php4.
>> ** Command failed [exit code 1]: /usr/bin/script -qa
>> /tmp/portupgrade. 24846.54 env UPGRADE_TOOL=portupgrade
>> UPGRADE_PORT=php4-4.4.7_1 UPGRADE_PORT_VER=4.4.7_1 make
>> ** Fix the problem and try again.
>>
>>
>> I don't understand because my port tree is up to date !!
>>
>> Any idea ?
> 
> Yes it means that the port you're trying to update to has security 
> issues. If you're feeling lucky you can do:
> portupgrade -m DISABLE_VULNERABILITIES=yes php
> 
> But it's not a good idea. If you build it anyway and get hacked, don't 
> say you weren't warned ;-)

PHP4 is EOL; the fact that 4.4.7-2 has vulnerabilities is only
surprising because it's still listed as the latest "historical"
PHP release on php.net, and they have promised on the front page
to continue to support PHP4 until the end of the year.  One can't
judge without further research, but perhaps the development team
is dragging their feet on purpose for some reason, or they've
maybe handed PHP4 off to a couple of junior guys who are pulling
their hair out on it?  All conjecture.

I'd advise moving to PHP5 now.  It doesn't hurt much.  Main
thing I remember is that short_tags=off and I had
to replace quite a few of those....

Kevin Kinsey
-- 
English literature's performing flea.
		-- Sean O'Casey on P. G. Wodehouse

More information about the freebsd-questions mailing list