PHP new vulnarabilities

Bill Moran wmoran at
Sun Oct 15 11:50:37 PDT 2006

Paul Schmehl <pauls at> wrote:

> --On October 15, 2006 7:49:55 PM +0200 Thomas <freebsdlists at> 
> wrote:
> >
> > Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
> > can use:
> > make -DDISABLE_VULNERABILITIES install clean
> > It will ignore the vuxml entry.
> >
> No offense, but anybody who *deliberately* installs a vulnerable version 
> of php in *today's* world, is an absolute fool.  Some of us are *stuck* 
> with the vulnerable version, because we installed before the vulnerability 
> was found.  We can't go back because previous versions are *also* 
> vulnerable.

Have you looked at the vulnerability?  There are only certian coding
instances that would actually open this up to any attack vector.  Since
the bug is in unserialize, it's pretty easy audit a program to ensure
that it isn't vulnerable.

"absolute fool" seems a little extreme.

Bill Moran

Six men came to kill me one time, and the best of them carried this. It's
a Callahan fullbore autolock, customized trigger and double cartridge
thourough-gage.  It's my very favorite gun.

	Jayne Cobb

More information about the freebsd-questions mailing list