Re: AW: Vulnerable PHP version according to nessus
* Jordon Bedwell: > New upstream version is used pretty loosely here. I would hardly > consider a bug fix release a new version. You guys treat versions as > if they're a matter of national security, because 5.3.7 vs 5.3.8 is > obviously gonna have some major major API changes and some way new > features. 5.3.7 to 5.3.8 perhaps not (I didn't check this), but we shipped 5.3.3 in squeeze. Upgrading to 5.3.7 and later would introduce the changed is_a behavior, among other things. We don't want to force such changes upon users, and certainly not in security updates. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87aa6c4fg3@mid.deneb.enyo.de
Re: Vulnerable PHP version according to nessus
Depending on your aim with your www-serv, check out suhosin.org. Some patches that harden PHP when used in multi-user envs. Sent from my iPhone On 28 Dec 2011, at 13:45, Dave Henley wrote: thanks Dave > Date: Wed, 28 Dec 2011 15:31:53 +0200 > From: he...@nerv.fi > To: dhenl...@live.com > CC: j.andra...@gmail.com; j...@debian.org; debian-security@lists.debian.org > Subject: Re: Vulnerable PHP version according to nessus > > On Wed, Dec 28, 2011 at 12:53:13PM +, Dave Henley wrote: > > Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. > > Is there a website of some sort to check what kind of CVE`s have been patched? > > If nessus does not provide a reliable report, what is the best next step to take here? > > Are there any howto`s or tutorials on howto secure a php installation on a debian system? > > Any suggestions would be very helpful. > > Update all software in your www-server. Some useful links: > > http://security-tracker.debian.org/tracker/ > http://www.debian.org/doc/manuals/securing-debian-howto/ > > - Henri Salo
RE: Vulnerable PHP version according to nessus
thanks Dave > Date: Wed, 28 Dec 2011 15:31:53 +0200 > From: he...@nerv.fi > To: dhenl...@live.com > CC: j.andra...@gmail.com; j...@debian.org; debian-security@lists.debian.org > Subject: Re: Vulnerable PHP version according to nessus > > On Wed, Dec 28, 2011 at 12:53:13PM +, Dave Henley wrote: > > Thnaks, I checked the CVE`s against the changelogs and approx. 50% is > > covered. > > Is there a website of some sort to check what kind of CVE`s have been > > patched? > > If nessus does not provide a reliable report, what is the best next step to > > take here? > > Are there any howto`s or tutorials on howto secure a php installation on a > > debian system? > > Any suggestions would be very helpful. > > Update all software in your www-server. Some useful links: > > http://security-tracker.debian.org/tracker/ > http://www.debian.org/doc/manuals/securing-debian-howto/ > > - Henri Salo
Re: Vulnerable PHP version according to nessus
On Wed, Dec 28, 2011 at 12:53:13PM +, Dave Henley wrote: > Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. > Is there a website of some sort to check what kind of CVE`s have been patched? > If nessus does not provide a reliable report, what is the best next step to > take here? > Are there any howto`s or tutorials on howto secure a php installation on a > debian system? > Any suggestions would be very helpful. Update all software in your www-server. Some useful links: http://security-tracker.debian.org/tracker/ http://www.debian.org/doc/manuals/securing-debian-howto/ - Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111228133153.ga15...@foo.fgeek.fi
RE: Vulnerable PHP version according to nessus
Thnaks, I checked the CVE`s against the changelogs and approx. 50% is covered. Is there a website of some sort to check what kind of CVE`s have been patched? If nessus does not provide a reliable report, what is the best next step to take here? Are there any howto`s or tutorials on howto secure a php installation on a debian system? Any suggestions would be very helpful. From: j.andra...@gmail.com Date: Wed, 28 Dec 2011 12:47:48 +0100 Subject: Re: Vulnerable PHP version according to nessus To: j...@debian.org CC: debian-security@lists.debian.org 2011/12/28 Moritz Mühlenhoff Dave Henley schrieb: > --_08b89ad2-8af0-454c-bd3d-7274adf10707_ > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > I recently installed a Debian Squeeze system along with apache2 and PHP5. > The system is fully up-to-date and the following php packages are installed= Nearly all Nessus checks are junk; they only check version numbers, but not whether a vulnerability has actually been fixed. In order to try to be more accurate, you could enable the "Thorough scan" option in Nessus. Disable the "safe checks" options might help, so Nessus does not rely (only) on version number and banners but actually tries to exploit the vulnerability (depending on how the NASL script/plugin is written, of course). However, this could cause that, if there is a denial of service vulnerability or any other that might impact on running services, these might be affected, and maybe the service would have to be restarted or even the host rebooted (for example, if it's a vulnerability that crashes the OS) Since we address security vulnerabilities with backports this leads to numerous false positives. Cheers, Moritz Best Regards, -- Jonás Andradas GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F 3F7F 4D87 9996 E0C6 9372
Re: AW: Vulnerable PHP version according to nessus
On Wed, Dec 28, 2011 at 2:54 AM, Adam D. Barratt wrote: > On 28.12.2011 07:56, Patrick Geschke wrote: >> >> Hey, >> >> @Maintainers: Whats the overall Status of the package? >> >> According to php.net 5.3.8 is stable. > > > 5.3.8 is in both testing and unstable - see > http://packages.qa.debian.org/p/php5.html > > Debian stable doesn't generally get new upstream versions of packages. > > Regards, > > Adam > > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/f53555ce02d37a0ad7b0ef133d97d...@mail.adsl.funky-badger.org > New upstream version is used pretty loosely here. I would hardly consider a bug fix release a new version. You guys treat versions as if they're a matter of national security, because 5.3.7 vs 5.3.8 is obviously gonna have some major major API changes and some way new features. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAN5oe=0qszhag16cdbzaksctfyf43zm2+wvefystby_emxp...@mail.gmail.com
Re: Vulnerable PHP version according to nessus
2011/12/28 Moritz Mühlenhoff > Dave Henley schrieb: > > --_08b89ad2-8af0-454c-bd3d-7274adf10707_ > > Content-Type: text/plain; charset="iso-8859-1" > > Content-Transfer-Encoding: quoted-printable > > > > > > I recently installed a Debian Squeeze system along with apache2 and PHP5. > > The system is fully up-to-date and the following php packages are > installed= > > Nearly all Nessus checks are junk; they only check version > numbers, but not whether a vulnerability has actually been fixed. > > In order to try to be more accurate, you could enable the "Thorough scan" option in Nessus. Disable the "safe checks" options might help, so Nessus does not rely (only) on version number and banners but actually tries to exploit the vulnerability (depending on how the NASL script/plugin is written, of course). However, this could cause that, if there is a denial of service vulnerability or any other that might impact on running services, these might be affected, and maybe the service would have to be restarted or even the host rebooted (for example, if it's a vulnerability that crashes the OS) > Since we address security vulnerabilities with backports this > leads to numerous false positives. > > Cheers, >Moritz > > > Best Regards, -- Jonás Andradas GPG Fingerprint: 678F 7BD0 83C3 28CE 9E8F 3F7F 4D87 9996 E0C6 9372
Re: Vulnerable PHP version according to nessus
Dave Henley schrieb: > --_08b89ad2-8af0-454c-bd3d-7274adf10707_ > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > > > I recently installed a Debian Squeeze system along with apache2 and PHP5. > The system is fully up-to-date and the following php packages are installed= Nearly all Nessus checks are junk; they only check version numbers, but not whether a vulnerability has actually been fixed. Since we address security vulnerabilities with backports this leads to numerous false positives. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjflq7n.3ki@inutil.org
Re: AW: Vulnerable PHP version according to nessus
On 28.12.2011 07:56, Patrick Geschke wrote: Hey, @Maintainers: Whats the overall Status of the package? According to php.net 5.3.8 is stable. 5.3.8 is in both testing and unstable - see http://packages.qa.debian.org/p/php5.html Debian stable doesn't generally get new upstream versions of packages. Regards, Adam -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f53555ce02d37a0ad7b0ef133d97d...@mail.adsl.funky-badger.org
Re: Vulnerable PHP version according to nessus
On Wed, Dec 28, 2011 at 07:59:08AM +, Dave Henley wrote: > When I scan my system for vulnerabillities with nessus I get the follwoing > high risk output: > > Synopsis: The remote web server uses a version of PHP that is affected by > multiple vulnerabilities. > > Description > According to its banner, the version of PHP 5.3.x installed on the > remote host is older than 5.3.7. > > Solution > Upgrade to PHP 5.3.7 or later. > > How do I solve this problem and make sure my system is not prone to any PHP > vulnerabilities? I would guess that Nessus just checks the version number without taking into account the fact that Debian normally backports security patches instead of upgrading to newer upstream version. You can see from the changelog.Debian.gz which CVEs are patched. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111228083844.GA11810@lucky
AW: Vulnerable PHP version according to nessus
Hey, @Maintainers: Whats the overall Status of the package? According to php.net 5.3.8 is stable. Greetings, Patrick -- Patrick Geschke Systemadministration Top Arbeitgeber 2011! KiKxxl wurde von TOP JOB als zweitbester Arbeitgeber in Deutschland ausgezeichnet. KiKxxl GmbH Mindener Strasse 127 49084 Osnabrück Tel.: 0541 / 3305 0 Fax : 0541 / 3305 100 Mail: pgesc...@kikxxl.de WWW : http://www.kikxxl.de Niederlassung Bremen Hermann-Köhl-Straße 1a 28199 Bremen Sitz der Gesellschaft Osnabrück, HRB 18841, Amtsgericht Osnabrück Geschäftsführer Andreas Kremer -Ursprüngliche Nachricht- Von: Dave Henley [mailto:dhenl...@live.com] Gesendet: Mittwoch, 28. Dezember 2011 08:59 An: debian-security@lists.debian.org Betreff: Vulnerable PHP version according to nessus I recently installed a Debian Squeeze system along with apache2 and PHP5. The system is fully up-to-date and the following php packages are installed: ii libapache2-mod-php5 5.3.3-7+squeeze3 server-side, HTML-embedded scripting language (Apache 2 module) ii php-pear5.3.3-7+squeeze3 PEAR - PHP Extension and Application Repository ii php55.3.3-7+squeeze3 server-side, HTML-embedded scripting language (metapackage) ii php5-cli 5.3.3-7+squeeze3 command-line interpreter for the php5 scripting language ii php5-common5.3.3-7+squeeze3 Common files for packages built from the php5 source ii php5-mysql5.3.3-7+squeeze3 MySQL module for php5 ii php5-suhosin 0.9.32.1-1 When I scan my system for vulnerabillities with nessus I get the follwoing high risk output: Synopsis: The remote web server uses a version of PHP that is affected by multiple vulnerabilities. Description According to its banner, the version of PHP 5.3.x installed on the remote host is older than 5.3.7. Solution Upgrade to PHP 5.3.7 or later. How do I solve this problem and make sure my system is not prone to any PHP vulnerabilities? Thanks, Dave -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8D42310D957CFB46AA11921A711D4D16057844F147@X2007.kikxxl.local