I received this CERT Advisory about 6 hours ago, regarding PHP. The php website confirms the details: www.php.net
I think this is going to be a problem for us, due to the way the Debian packaging works - We upgraded to Apache 1.3.19-1 for security reasons. Package dependencies meant we ended up with: apache 1.3.19-1 mod_ssl 2.8.2-1 openssl 0.9.6a-3 libssl0.9.6 0.9.6a3 php4 4.0.5-2 php4-mysql 4.0.5-2 mysql-server 3.23.46-2 mysql-common 3.23.46-2 mysql-client 3.23.46-2 Getting all the cross-dependencies to work was difficult, and we tried to get Apache 1.3.22 working, but the build in test 1.3.22-5 is badly broken with an Apache bug from some time ago, where QUERY_STRING is not populated when using multiviews. We originally selected Debian due to the granularity of the packaging system, however stable is now lagging so far behind the real world that we have been forced to do a lot of jiggery pokey to get basic things like Apache/PHP4/MySQL/SSL to work. I guess that the immediate solution in this case is for us to try to get the unstable Apache 1.3.23 package + an updated PHP4 4.2.1 package + MySQL, SSL etc to work. mmmm - aint going to be quick to test this and roll it out into production, and in the mean time, we have production servers running a PHP4 that has a now widely known security issue. Oh - and yes, we could go out of business and not accept data, but methinks my tenure would be somewhat shortened if I propose that at our emergency security meeting in an hours time! Help? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]