http://qa.mandrakesoft.com/show_bug.cgi?id=4610
------- Additional Comments From [EMAIL PROTECTED] 2003-08-08 19:09 ------- On the aforementioned server we have multiple php packages installed, while the update only concerned some of them (no update for Mandrake 8.2 mod_php was published). Can this be the cause of mail() not working (difference in versions between mod_php and php)? The list of php packages on our server: $ rpm -qa | grep php mod_php-4.1.2-1mdk php-ldap-4.1.2-1mdk php-common-4.1.2-1.1mdk php-mysql-4.1.2-2mdk php-xslt-4.1.2-1mdk php-devel-4.1.2-1.1mdk php-xml-4.1.2-1mdk php-gd-4.1.2-1mdk php-4.1.2-1.1mdk -- Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. ------- Reminder: ------- assigned_to: [EMAIL PROTECTED] status: UNCONFIRMED creation_date: description: We've installed the security updates for PHP a few days ago on out Mandrake 8.2 www server. Today, we've noticed that our web application fails to send mails. In /var/log/messages we can see the following error: "mail() is not supported in this PHP build" It seems that mail support was left out when compiling the package... :( The description on MandrakeUpdate says: "A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CAN-2003-0442). As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CAN-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CAN-2002-0985). All users are encouraged to upgrade to these patched packages." Well, disabling mail() completely is not acceptable solution! There are applications that depend on this functionality. I hop this is just a typo in RPM package, not the policy of this security fix...