Re: [CentOS] PHP vulnerability CVE-2016-4073
On 2016-Sep-21 11:00, Alice Wonder wrote: > I feel the same way but I find that it is generally safe and beneficial to > update the LAMP stack on servers and the multimedia stack on the desktop. > > Things like HTTP/2 are not available in the Apache that ships even with > CentOS 7 and the PHP is so outdated that it causes problems when using third > party projects because the developers of those projects aren't using > anything that old anymore. And for the TLS stack, mobile really benefits > from chacha20 ciphers. > > With respect to multimedia, there's the fluendo codec pack but interestingly > FireFox won't play mp3 with the fluendo codec pack, it wants the libmad > plugin. > > And even more bizarre, maybe they have fixed it, but GStreamer 1.x in CentOS > 7 when it shipped was not capable of decoding the VP9 codec used in WebM2. > CentOS 7 came with tools to encode VP9 but the GStreamer was too crusty to > decode it, and the commercial fluendo plugins were of no help there - > replacing the GStreamer 1.x packages with a modern build was the only > option. > > Stability is pointless when it doesn't serve the intended purpose. Agree, but applications on my server work just fine with the old version. In case I need feature available only in the new version, I'd move to the new one. There is another CVE I'm having problem with. https://access.redhat.com/security/cve/cve-2015-8866 This one is still under investigation. I see Remi's comment in the bugzilla that it isn't really a security issue, but it's the Approved Scanning Vendors who should be convinced in that, and they mark it's PCI status as "fail". Anyone have any idea how to mitigate this issue? Some workaround? ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP vulnerability CVE-2016-4073
On 2016-Sep-21 14:45, Eero Volotinen wrote: > https://pci.qualys.com/static/help/merchant/questionnaires/compensating_controls_definition.htm > > Eero Well, I was hoping to get some ideas for compensating controls in this case. Anyhow, I just added mb_strcut() to disable_functions. I'll be able to live without it. > 2016-09-21 14:02 GMT+03:00 Прокси <proxy-...@mail.ru>: > > > Hello, > > > > My server with CentOS 6.8 just failed PCI scan, so I'm looking into > > vulnerable packages. PHP 5.3.3 have multiple vulnerabilities, some of > > them are fixed/patched or have some kind of workaround. But I can't find > > a way to fix this one. Red Hat state: under investigation. > > > > https://access.redhat.com/security/cve/cve-2016-4073 > > > > This CVE is 6 months old, and it doesn't look like it will be fixed. > > Does anyone knows the way to go around this? Except blocking mb_strcut() > > function. > > > > Thanks! > > ___ > > CentOS mailing list > > CentOS@centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] PHP vulnerability CVE-2016-4073
On 2016-Sep-21 14:35, Adrian Sevcenco wrote: > On 09/21/2016 02:02 PM, Прокси wrote: > > Hello, > > > > My server with CentOS 6.8 just failed PCI scan, so I'm looking into > > vulnerable packages. PHP 5.3.3 have multiple vulnerabilities, some of > > them are fixed/patched or have some kind of workaround. But I can't find > > a way to fix this one. Red Hat state: under investigation. > > > > https://access.redhat.com/security/cve/cve-2016-4073 > > > > This CVE is 6 months old, and it doesn't look like it will be fixed. > > Does anyone knows the way to go around this? Except blocking mb_strcut() > > function. > you could try the unsupported php from remi repos... you can find there php > 7.0 .. I use CentOS because I need stable and patched packages, so I can be sure that all applications work without unpleasant surprises. Going to unsupported packages would be my last option. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] PHP vulnerability CVE-2016-4073
Hello, My server with CentOS 6.8 just failed PCI scan, so I'm looking into vulnerable packages. PHP 5.3.3 have multiple vulnerabilities, some of them are fixed/patched or have some kind of workaround. But I can't find a way to fix this one. Red Hat state: under investigation. https://access.redhat.com/security/cve/cve-2016-4073 This CVE is 6 months old, and it doesn't look like it will be fixed. Does anyone knows the way to go around this? Except blocking mb_strcut() function. Thanks! ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache mod_perl cross site scripting vulnerability
On 2015-Aug-12 05:17, Ellen Shull wrote: On Wed, Aug 12, 2015 at 3:39 AM, Proxy One proxy-...@mail.ru wrote: Is there way to use curl for testing? I'm getting new line because of the single quote inside string and escaping it with back slash gives me bash: syntax error near unexpected token `' You can use curl's -K option which lets you stick arguments in a file, helpful for getting around shell quoting nightmares. For example make a file named test-url-file which contains the line url = http://www.mydomain.com/[bad stuff, don't want this message tripping over some filter for containing a malicious-looking URL] then do curl -g -K test-url-file Note that just gets you around shell interpretation; curl does some of its own as well. the -g switch I used there disables its interpretation of {}[] as special globbing characters. If you put the url in double quotes then not only do you have to escape any double quotes in the string, it also starts interpreting backslash sequences so you have to double all backslashes--so oddly it's best to just leave quotes off. Thanks, it works! I was able to reproduce problem and was able to see how my changes affected response from the server. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Facebook CentOS group close to 15.000 members!
On 2015-Mar-23 17:44, Niki Kovacs wrote: I recently joined that list and wanted to publish a simple link to my technical blog dedicated to CentOS (http://kikinovak.wordpress.com). Too bad it's not in English. It would be interesting to follow your posts as you discover CentOS more and more, given that I also used Slackware. There's no commercial interest behind it, only the wish to share my personal configurations. The Facebook group sees it as self-promotion and doesn't want to publish it. On the other hand, you're allowed to publish jokes without any problem. I couldn't quite grasp the concept behind it, so I left the group. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos