PHP new vulnarabilities
Bill Moran
wmoran at collaborativefusion.com
Sun Oct 15 11:50:37 PDT 2006
Paul Schmehl <pauls at utdallas.edu> wrote:
> --On October 15, 2006 7:49:55 PM +0200 Thomas <freebsdlists at bsdunix.ch>
> wrote:
> >
> > Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
> > can use:
> > make -DDISABLE_VULNERABILITIES install clean
> > It will ignore the vuxml entry.
> >
> No offense, but anybody who *deliberately* installs a vulnerable version
> of php in *today's* world, is an absolute fool. Some of us are *stuck*
> with the vulnerable version, because we installed before the vulnerability
> was found. We can't go back because previous versions are *also*
> vulnerable.
Have you looked at the vulnerability? There are only certian coding
instances that would actually open this up to any attack vector. Since
the bug is in unserialize, it's pretty easy audit a program to ensure
that it isn't vulnerable.
"absolute fool" seems a little extreme.
--
Bill Moran
Six men came to kill me one time, and the best of them carried this. It's
a Callahan fullbore autolock, customized trigger and double cartridge
thourough-gage. It's my very favorite gun.
Jayne Cobb
More information about the freebsd-questions
mailing list