php5-5.2.11_1 Vulnerabilities

Vincent Hoffman vince at unsane.co.uk
Sat Dec 26 12:06:39 UTC 2009 

Xin LI wrote:
> I think ale@ has posted a patch to update it to PHP 5.3.1 which is not
> vulnerable.  Is it an option for you?
>
> http://www.alexdupre.com/php53.diff
>   
We've found 5.3 is different enough from 5.2 at work that a number of
customers have needed downgrading again after upgrading. (We're a linux
shop but same theory applies) a particular gotcha was the removal of the
mhash module which is used by plenty of shopping cart code, (its now
emulated by the built in hash stuff, but php configure needs the
--with-mhash flag. And because its emulated it cant be built as a
module.) Test throughly if your thinking of moving to php5.3.
    However as yet various stuff thats in the php5.2.11 port isnt
available or has changed a bit for 5.2.12. for example the Suhosin
hardening patch isnt available for 5.2.12 yet (People taking time off
for the holidays I'd guess ;)

Vince
> On Thu, Dec 24, 2009 at 8:49 PM, r00t <r00t at ellicit.org> wrote:
>   
>> I was wondering why this isn't available to upgrade...
>>
>>
>>
>> Affected package: php5-5.2.11_1
>> Type of problem: php -- multiple vulnerabilities.
>> Reference: <http://portaudit.FreeBSD.org/39a25a63-eb5c-11de-b650-00215c6a37bb.html
>>
>> Security Enhancements and Fixes in PHP 5.2.12 is what the above reference says.
>>
>> Standard methods of upgrading have no shown a fix for this...does anyone have information on when this will be fixed?
>>
>>
>> Port:    php5-5.2.11_1
>> Path:    /usr/ports/lang/php5
>> Info:    PHP Scripting Language
>> Maint:    ale at FreeBSD.org
>> B-deps:    autoconf-2.62 autoconf-wrapper-20071109 libiconv-1.13.1
>> libxml2-2.7.6_1 m4-1.4.13,1 perl-5.8.9_3 pkg-config-0.23_1
>> R-deps:    libiconv-1.13.1 libxml2-2.7.6_1 pkg-config-0.23_1
>> WWW:    http://www.php.net/
>>
>> _______________________________________________
>> freebsd-stable at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>>
>>     
>
>
>
>

More information about the freebsd-stable mailing list