On Sun, 15 Oct 2006 13:07:15 -0500 Paul Schmehl <[EMAIL PROTECTED]> wrote:
> --On October 15, 2006 7:49:55 PM +0200 Thomas
> <[EMAIL PROTECTED]>
> wrote:
> >
> > Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1.
> > You can use:
> > make -DDISABLE_VULNERABILITIES install clean
> > It will ignore the vuxml entry.
> >
> No offense, but anybody who *deliberately* installs a vulnerable
> version of php in *today's* world, is an absolute fool. Some of us
> are *stuck* with the vulnerable version, because we installed before
> the vulnerability was found. We can't go back because previous
> versions are *also* vulnerable.
>
> But *deliberately* installing it when you *know* it's vulnerable -
> and one of the most attacked applications on the internet? Foolhardy
> doesn't quite grasp the insanity of that.
Completely true, but in this situation, the update is argueably the
better thing to do.
With the update you trade an integer overflow against this open_basedir
hole that is, as far as I know, harder to exploit and the _1 version
is sure to have the suhosin 0.9.5 patch (5.1.6 can be either 0.9.3 or
0.9.5 depending on checkout date - or none at all) - and with suhosin
one can disable symlink(). What may of course very well break the php
"application", but this is simply "choose your poison".
Joerg
--
| /"\ ASCII ribbon | GnuPG Key ID | e86d b753 3deb e749 6c3a |
| \ / campaign against | 0xbbcaad24 | 5706 1f7d 6cfd bbca ad24 |
| X HTML in email | .the next sentence is true. |
| / \ and news | .the previous sentence was a lie. |
signature.asc
Description: PGP signature
