Re: PHP Update .. details
Initially a few CVE numbers were assigned and then later withdrawn when it became clear that the issues could only be exploited by a user who wrote a malicious PHP script - not a remote issue, or too serious. (Given that if you had the ability to write evil PHP code you cold just run 'system('rm ..');'. - Just would like to draw your attention to the following page: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046 Basically, they claim that phpBB v2.0.11 running on PHP version < 4.3.10 becomes remotely vulnerable, and they claim there are exploits on the wild -- which backs their claim, and makes it definitely a serious issue. When PHP upgraded to 4.3.10, it's no longer vulnerable. Being a layman, I'm not able to confirm that claim. However, the fact that this is an official announcement from them, I think it's worth reading over at least. Hopefully Debian security team will be convinced to patch php4 package then. Thanks, Harry -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PHP Update .. details
Hi! > It's looking like there won't be an update to PHP for Woody, because > the majority of the PHP issues aren't relevent. > > Initially a few CVE numbers were assigned and then later withdrawn > when it became clear that the issues could only be exploited by a > user who wrote a malicious PHP script - not a remote issue, or too > serious. (Given that if you had the ability to write evil PHP code > you cold just run 'system('rm ..');'. Unfortunately those vulnerabilities can be exploited by a user to execute arbitrary code with the priviledges of the user running the web server (www-data on woody). This defeats the purpose of the PHP "safe mode" (http://www.php.net/manual/en/features.safe-mode.php) on which many ISPs rely. If the Debian project does not want to fix those issues IMHO Debian should make an official statement that using the PHP safe mode with Debian Woody does not offer the security one would expect. Regards, Hans -- Hans Kratz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]