Hello, Can someone please give a straight answer about these PHP security holes? OpenBSD 3.9 released yesterday had packages supporting: php 4.4.1p0 php 5.0.5p0 are either of these vulnerable? if so, is someone going to release updated packages (not just ports)?
the php 5.1.3 release: The security issues resolved include the following: * Disallow certain characters in session names. * Fixed a buffer overflow inside the wordwrap() function. * Prevent jumps to parent directory via the 2nd parameter of the tempnam() function. * Enforce safe_mode for the source parameter of the copy() function. * Fixed cross-site scripting inside the phpinfo() function. * Fixed offset/length parameter validation inside the substr_compare() function. * Fixed a heap corruption inside the session extension. * Fixed a bug that would allow variable to survive unset(). thanks Monday, May 1, 2006, 7:18:50 AM, you wrote: > Hi. > I haven't recieved a single test report, but I still get > letters about asking for an update. How's that? > This tarball also includes mysqli, fastcgi and hardened php support: > http://gi.unideb.hu/~robert/php.tar.gz > On (28/04/06 01:59), Robert Nagy wrote: >> Hi. >> >> Finally after fighting with pear I've managed to create a working update >> for the php5 port. >> The PHP guys have changed the installation method of pear to use some crappy >> PHP_Archive. With this move they broke the installation of pear on serveral >> linux distros (e.g. Frugalware), OpenDarwin and on OpenBSD of course. >> Any other crappy package managements where they install files directly to >> ${LOCALBASE} -- Best regards, paul mailto:[EMAIL PROTECTED]