PHP new vulnarabilities
dave.list at pixelhammer.com
Sun Oct 15 13:32:07 PDT 2006
Paul Schmehl wrote:
> --On October 15, 2006 7:49:55 PM +0200 Thomas <freebsdlists at bsdunix.ch>
>> Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
>> can use:
>> make -DDISABLE_VULNERABILITIES install clean
>> It will ignore the vuxml entry.
> No offense, but anybody who *deliberately* installs a vulnerable version
> of php in *today's* world, is an absolute fool. Some of us are *stuck*
> with the vulnerable version, because we installed before the
> vulnerability was found. We can't go back because previous versions are
> *also* vulnerable.
> But *deliberately* installing it when you *know* it's vulnerable - and
> one of the most attacked applications on the internet? Foolhardy
> doesn't quite grasp the insanity of that.
That is a bit extreme. I have a full workload, I put in about 60 hours a
week (I work a lot of weekends, I'm working now). I have servers running
all different version of apps. I can't go around upgrading everything at
the drop of a hat. I would be divorced within a month.
If you read the security alerts carefully you will find many require a
shell (We don't offer them to clients), some require a specific app to
be running that you may not need (rm -f /usr/local/bin/vulnerable_app),
and sometimes a simple code audit will tell you if you are vulnerable.
It is also not uncommon that a security alert is issued for a problem
that has not be proven in the wild.
There are plenty of reasons to not follow a security alert, many of them
quite valid. Upgrading mission critical systems without throughly
understanding the implications just because someone screamed SECURITY!,
now that is foolhardy.
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Maybe they forgot who made that choice possible.
More information about the freebsd-questions