PHP new vulnarabilities

DAve dave.list at
Sun Oct 15 13:32:07 PDT 2006

Paul Schmehl wrote:
> --On October 15, 2006 7:49:55 PM +0200 Thomas <freebsdlists at> 
> wrote:
>> Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
>> can use:
>> make -DDISABLE_VULNERABILITIES install clean
>> It will ignore the vuxml entry.
> No offense, but anybody who *deliberately* installs a vulnerable version 
> of php in *today's* world, is an absolute fool.  Some of us are *stuck* 
> with the vulnerable version, because we installed before the 
> vulnerability was found.  We can't go back because previous versions are 
> *also* vulnerable.
> But *deliberately* installing it when you *know* it's vulnerable - and 
> one of the most attacked applications on the internet?  Foolhardy 
> doesn't quite grasp the insanity of that.

That is a bit extreme. I have a full workload, I put in about 60 hours a 
week (I work a lot of weekends, I'm working now). I have servers running 
all different version of apps. I can't go around upgrading everything at 
the drop of a hat. I would be divorced within a month.

If you read the security alerts carefully you will find many require a 
shell (We don't offer them to clients), some require a specific app to 
be running that you may not need (rm -f /usr/local/bin/vulnerable_app), 
and sometimes a simple code audit will tell you if you are vulnerable. 
It is also not uncommon that a security alert is issued for a problem 
that has not be proven in the wild.

There are plenty of reasons to not follow a security alert, many of them 
quite valid. Upgrading mission critical systems without throughly 
understanding the implications just because someone screamed SECURITY!, 
now that is foolhardy.


Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for

Maybe they forgot who made that choice possible.

More information about the freebsd-questions mailing list