http://qa.mandrakesoft.com/show_bug.cgi?id=4610
------- Additional Comments From [EMAIL PROTECTED] 2003-08-08 19:14 ------- I've just rebuilt PHP from updates SRPM and installed with force (rpm -Uhv --force php*.rpm). This has installed with overwrite the following RPMs: php, php-common and php-devel. Then I've restarted apache, and mail() started working! Maybe the updated ibnary RPMs are built improperly? BTW here are log messages from MandrakeUpdate of that server that we made yesterday (which caused PHP mail() to stop working): sie 7 17:07:22 www perl: [RPM] php-common-4.1.2-1.1mdk installed sie 7 17:07:31 www perl: [RPM] php-common-4.1.2-1mdk removed sie 7 17:07:31 www perl: [RPM] php-4.1.2-1.1mdk installed sie 7 17:07:31 www perl: [RPM] php-4.1.2-1mdk removed sie 7 17:07:33 www perl: [RPM] postfix-20010228-20.1mdk installed sie 7 17:07:45 www perl: [RPM] postfix-20010228-20mdk removed sie 7 17:07:48 www perl: [RPM] php-devel-4.1.2-1.1mdk installed sie 7 17:07:48 www perl: [RPM] php-devel-4.1.2-1mdk removed -- Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. ------- Reminder: ------- assigned_to: [EMAIL PROTECTED] status: UNCONFIRMED creation_date: description: We've installed the security updates for PHP a few days ago on out Mandrake 8.2 www server. Today, we've noticed that our web application fails to send mails. In /var/log/messages we can see the following error: "mail() is not supported in this PHP build" It seems that mail support was left out when compiling the package... :( The description on MandrakeUpdate says: "A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CAN-2003-0442). As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CAN-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CAN-2002-0985). All users are encouraged to upgrade to these patched packages." Well, disabling mail() completely is not acceptable solution! There are applications that depend on this functionality. I hop this is just a typo in RPM package, not the policy of this security fix...
