http://qa.mandrakesoft.com/show_bug.cgi?id=4610
Product: mod_php
Component: program
Summary: PHP Security update for MDK 8.2 (php-4.2.1-1.1mdk)
breaks mail()
Product: mod_php
Version: 4.2.2-1mdk
Platform: PC
OS/Version: All
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: program
AssignedTo: [EMAIL PROTECTED]
ReportedBy: [EMAIL PROTECTED]
We've installed the security updates for PHP a few days ago on out Mandrake 8.2
www server.
Today, we've noticed that our web application fails to send mails.
In /var/log/messages we can see the following error:
"mail() is not supported in this PHP build"
It seems that mail support was left out when compiling the package... :(
The description on MandrakeUpdate says:
"A vulnerability was discovered in the transparent session ID support
in PHP4 prior to version 4.3.2. It did not properly escape user-
supplied input prior to inserting it in the generated web page. This
could be exploited by an attacker to execute embedded scripts within
the context of the generated HTML (CAN-2003-0442).
As well, two vulnerabilities had not been patched in the PHP packages
included with Mandrake Linux 8.2: The mail() function did not filter
ASCII control filters from its arguments, which could allow an attacker
to modify the mail message content (CAN-2002-0986). Another
vulnerability in the mail() function would allow a remote attacker to
bypass safe mode restrictions and modify the command line arguments
passed to the MTA in the fifth argument (CAN-2002-0985).
All users are encouraged to upgrade to these patched packages."
Well, disabling mail() completely is not acceptable solution! There are
applications that depend on this functionality. I hop this is just a typo in RPM
package, not the policy of this security fix...
--
Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
