http://qa.mandrakesoft.com/show_bug.cgi?id=4610
Product: mod_php Component: program Summary: PHP Security update for MDK 8.2 (php-4.2.1-1.1mdk) breaks mail() Product: mod_php Version: 4.2.2-1mdk Platform: PC OS/Version: All Status: UNCONFIRMED Severity: normal Priority: P2 Component: program AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] We've installed the security updates for PHP a few days ago on out Mandrake 8.2 www server. Today, we've noticed that our web application fails to send mails. In /var/log/messages we can see the following error: "mail() is not supported in this PHP build" It seems that mail support was left out when compiling the package... :( The description on MandrakeUpdate says: "A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CAN-2003-0442). As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CAN-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CAN-2002-0985). All users are encouraged to upgrade to these patched packages." Well, disabling mail() completely is not acceptable solution! There are applications that depend on this functionality. I hop this is just a typo in RPM package, not the policy of this security fix... -- Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.