Yeah. Apache is vulneralbe to a buffer overflow in the chunked-encoding, and PHP has (i think) a buffer overflow in the multipart/form-data POST form handling. It might be a format string though... that just came out this week. yesterday, i think.
For dev you might want to consider using the CVS version- that's what I do. And if you set up a script for the cron-tab or something you could get the latest version overnight... Unfortunatly, Apache CVS is not open to the public. On Tuesday 23 July 2002 17:58 pm, you wrote: > Well, that would be nice! Sort of 'completes-my-day' :> > So, both are vulnerable, eh? Great. > > Thanks for the warning -- but I'm using them for design only. Once the site > is on-line, I'll be sure to use the upgraded versions. From what I read > on-list, however, the current 'upgrades' have their problems too. Luckily, > I'll be on-line later in the fall, so enough time might pass for the new > PHP to stabilize. > > Regards, Andre > > On Tuesday 23 July 2002 08:47 pm, you wrote: > > What do you guys think? Should we tell him he's running a vulnerable > > version of PHP _and_ of Apache??? > > > > On Tuesday 23 July 2002 16:26 pm, Andre Dubuc wrote: > > > Apache 1.3.23 + PHP 4.1.2 + PostgreSQl 7.2 > > <snipped> -- He who learns must suffer. Aeschylus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
