Re: port php5 - what I am supposed to do here?
Matt Emmerton wrote: Hello List, Portuadit telles my about the open_basedir Race Condition Vulnerability, OK. By reading the advisory on http://www.hardened-php.net/advisory_082006.132.html I can safely say this does not apply to our environment, we don't use open_basedir or safe_mode and Suhosin is planned anyway (after test). [...] So what to do now? You've established that the security issue doesn't apply to your environment. 1) Add DISABLE_VULNERABILITIES=yes to /etc/make.conf 2) Run portupgrade -u or make install clean By doing this you have disabled vulnerability checking for *all* ports which seems a little extreme. Either add the flag to pkgtools.conf (for portupgrade (and portmanager?)) or use it from the command line with make. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port php5 - what I am supposed to do here?
Alain Wolf wrote: Thanks Matt, that did it. I knew it there was a way. :-) But then ... As everything was in sync again, I wanted to install the suhosin-patch And see what happens: === Patching for php5-5.1.6_1 === Applying distribution patches for php5-5.1.6_1 === Applying FreeBSD patches for php5-5.1.6_1 1 out of 1 hunks failed--saving rejects to Zend/zend_alloc.c.rej = Patch patch-Zend_zend_alloc.c failed to apply cleanly. = Patch(es) patch-TSRM_threads.m4 patch-Zend::zend.h applied cleanly. *** Error code 1 Stop in /usr/ports/lang/php5. :-( I found this stange as I read just before about the neweset patch in the cvs.ports list : On 05.10.2006 22:59, * Alex Dupre wrote: ale 2006-10-05 20:59:17 UTC FreeBSD ports repository Modified files: lang/php5Makefile Added files: lang/php5/files patch-Zend_zend_alloc.c Log: Added safety checks against integer overflow. Bump PORTREVISION. While I'm here, I suggest all php users to use the suhosin patch and suhosin extension to harden the php installation. He suggests the suhosin patch but in my expirience it only builds without it. Anybody else got this kind of problems? same thing here. How many more are seeing this? For now ill just go with the extension until the patch thing is resolved i guess. why is there a patch out there that doesn't apply and why is it being advocated if its broke? =) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port php5 - what I am supposed to do here?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06.10.2006 11:26, * Alex Zbyslaw wrote:
Matt Emmerton wrote:
Hello List,
Portuadit telles my about the open_basedir Race Condition
Vulnerability, OK.
By reading the advisory on
http://www.hardened-php.net/advisory_082006.132.html I can safely say
this does not apply to our environment, we don't use open_basedir or
safe_mode and Suhosin is planned anyway (after test).
[...]
So what to do now?
You've established that the security issue doesn't apply to your
environment.
1) Add DISABLE_VULNERABILITIES=yes to /etc/make.conf
2) Run portupgrade -u or make install clean
By doing this you have disabled vulnerability checking for *all* ports
which seems a little extreme. Either add the flag to pkgtools.conf (for
portupgrade (and portmanager?)) or use it from the command line with make.
--Alex
Thanks for the advice, as matter of fact this came to my mind too, so I
actually did in make.conf was:
...
# PHP 5 Port installation options
.if${.CURDIR:M*/lang/php5*}
DISABLE_VULNERABILITIES=yes
.endif
...
Greetings
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFJwQmV5MZZmyxvGgRAsdoAKDdHsfC89K70PjrIYFMT7aUiLH2RgCgktA5
1DP/pLzWaI35xOtzc0RwVd0=
=RqSa
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
port php5 - what I am supposed to do here?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello List, Portuadit telles my about the open_basedir Race Condition Vulnerability, OK. By reading the advisory on http://www.hardened-php.net/advisory_082006.132.html I can safely say this does not apply to our environment, we don't use open_basedir or safe_mode and Suhosin is planned anyway (after test). With a portsnap fetch update I get a new version php5-5.1.6_1 in my portstree, OK. But portmanager -u or even manually with make install clean everything fails with the following message: === php5-5.1.6_1 has known vulnerabilities: = php -- open_basedir Race Condition Vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html = Please update your ports tree and try again. *** Error code 1 So what to do now? There are quite a lot if dependencies which i can't update too now. Also installing/enabling Suhosin seems not possible anymore now. Any suggestions are welcome. Greetings fomr Switzerland Alain Wolf -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJcsDV5MZZmyxvGgRAn4oAKDBqaGjcOflahgH4XRp6WCg0T6qLQCg3uni vk77USw9+yElWvFCJBcDHxs= =4wj4 -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port php5 - what I am supposed to do here?
Hello List, Portuadit telles my about the open_basedir Race Condition Vulnerability, OK. By reading the advisory on http://www.hardened-php.net/advisory_082006.132.html I can safely say this does not apply to our environment, we don't use open_basedir or safe_mode and Suhosin is planned anyway (after test). With a portsnap fetch update I get a new version php5-5.1.6_1 in my portstree, OK. But portmanager -u or even manually with make install clean everything fails with the following message: === php5-5.1.6_1 has known vulnerabilities: = php -- open_basedir Race Condition Vulnerability. Reference: http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df .html = Please update your ports tree and try again. *** Error code 1 So what to do now? You've established that the security issue doesn't apply to your environment. 1) Add DISABLE_VULNERABILITIES=yes to /etc/make.conf 2) Run portupgrade -u or make install clean Regards, -- Matt Emmerton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port php5 - what I am supposed to do here?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06.10.2006 05:53, * Matt Emmerton wrote: You've established that the security issue doesn't apply to your environment. 1) Add DISABLE_VULNERABILITIES=yes to /etc/make.conf 2) Run portupgrade -u or make install clean Regards, -- Matt Emmerton Thanks Matt, that did it. I knew it there was a way. :-) But then ... As everything was in sync again, I wanted to install the suhosin-patch And see what happens: === Patching for php5-5.1.6_1 === Applying distribution patches for php5-5.1.6_1 === Applying FreeBSD patches for php5-5.1.6_1 1 out of 1 hunks failed--saving rejects to Zend/zend_alloc.c.rej = Patch patch-Zend_zend_alloc.c failed to apply cleanly. = Patch(es) patch-TSRM_threads.m4 patch-Zend::zend.h applied cleanly. *** Error code 1 Stop in /usr/ports/lang/php5. :-( I found this stange as I read just before about the neweset patch in the cvs.ports list : On 05.10.2006 22:59, * Alex Dupre wrote: ale 2006-10-05 20:59:17 UTC FreeBSD ports repository Modified files: lang/php5Makefile Added files: lang/php5/files patch-Zend_zend_alloc.c Log: Added safety checks against integer overflow. Bump PORTREVISION. While I'm here, I suggest all php users to use the suhosin patch and suhosin extension to harden the php installation. Submitted by: simon Obtained from: PHP CVS repo. Revision ChangesPath 1.102 +1 -1 ports/lang/php5/Makefile 1.1 +21 -0 ports/lang/php5/files/patch-Zend_zend_alloc.c (new) ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/cvs-ports He suggests the suhosin patch but in my expirience it only builds without it. Anybody else got this kind of problems? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJe7oV5MZZmyxvGgRAjZoAJ0SyNSh/fcW9lK276dEEEDwRhqK3gCgnQof mYeAV7bs8vFG4r8Cf3NxEU0= =WUVL -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
