PEAR packages potentially contain malicious code
Remko Lodder
remko at FreeBSD.org
Mon Jan 21 20:24:03 UTC 2019
Hi Stefan,
> On 21 Jan 2019, at 21:18, Stefan Bethke <stb at lassitu.de> wrote:
>
> I’ve just learned that the repository for the PHP PEAR set of extensions had their distribution server compromised.
>
> https://twitter.com/pear/status/1086634503731404800
>
> I don’t really work with PHP much apart from installing packages of popular PHP web apps on my servers, so I can’t tell whether this code made it onto machines building from PEAR sources, or even into FreeBSD binary packages of PEAR extensions. Given the large user base for these packages, some advice to FreeBSD users might be well received.
Thank you for sending the headsup to the FreeBSD users.
I have CC’ed ports-secteam, they will handle with due care when more information is available and they can act upon something.
I have BCC’ed the maintainer for the PHP port(s), but I am not entirely sure whether he maintains all the pear ports as well.
Again, thank you.
Best regards,
Remko
Hat: Security Team
>
>
> Thanks,
> Stefan
>
> --
> Stefan Bethke <stb at lassitu.de> Fon +49 151 14070811
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190121/ec60863c/attachment.sig>
More information about the freebsd-security
mailing list