Re: phpBB patch?
On Wed 2007-01-24 (19:51), Gordon Stratton wrote: On 1/24/07, gareth [EMAIL PROTECTED] wrote: hi, portupgrade just upgraded phpbb-2.0.22 to phpbb-2.0.22_1. it used phpBB-2.0.22.tar.bz2 from www.phpbb.com (same as before), and as far as i can tell the .php files are the same (and naturally the database is untouched). does anyone know what this upgrade was meant to achieve? From the log[1]: --- Remove previously added security patch against session table exhaustion, as it causes more problems in the latest phpbb version. Users are advised to drop and re-create their session tables (phpbb_sessions, phpbb_sessions_keys) without using HEAP tables. ah, thanx for the link. so this's the only thing that changed? : http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/phpbb/files/Attic/security-patch-includes-sessions.php?annotate=1.2 ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: phpBB patch?
gareth wrote: On Wed 2007-01-24 (19:51), Gordon Stratton wrote: On 1/24/07, gareth [EMAIL PROTECTED] wrote: hi, portupgrade just upgraded phpbb-2.0.22 to phpbb-2.0.22_1. it used phpBB-2.0.22.tar.bz2 from www.phpbb.com (same as before), and as far as i can tell the .php files are the same (and naturally the database is untouched). does anyone know what this upgrade was meant to achieve? From the log[1]: --- Remove previously added security patch against session table exhaustion, as it causes more problems in the latest phpbb version. Users are advised to drop and re-create their session tables (phpbb_sessions, phpbb_sessions_keys) without using HEAP tables. ah, thanx for the link. so this's the only thing that changed? : http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/phpbb/files/Attic/security-patch-includes-sessions.php?annotate=1.2 Yes. The only change is that the patch is removed and PORTREVISION bump. Cheers, -- Xin LI [EMAIL PROTECTED] http://www.delphij.net/ FreeBSD - The Power to Serve! signature.asc Description: OpenPGP digital signature
Re: phpBB patch?
On Thu 2007-02-01 (23:24), LI Xin wrote: ah, thanx for the link. so this's the only thing that changed? : http://www.freebsd.org/cgi/cvsweb.cgi/ports/www/phpbb/files/Attic/security-patch-includes-sessions.php?annotate=1.2 Yes. The only change is that the patch is removed and PORTREVISION bump. thanx ;) ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
phpBB patch?
hi, portupgrade just upgraded phpbb-2.0.22 to phpbb-2.0.22_1. it used phpBB-2.0.22.tar.bz2 from www.phpbb.com (same as before), and as far as i can tell the .php files are the same (and naturally the database is untouched). does anyone know what this upgrade was meant to achieve? - gareth ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: phpBB patch?
gareth wrote: hi, portupgrade just upgraded phpbb-2.0.22 to phpbb-2.0.22_1. it used phpBB-2.0.22.tar.bz2 from www.phpbb.com (same as before), and as far as i can tell the .php files are the same (and naturally the database is untouched). does anyone know what this upgrade was meant to achieve? This update has removed a patch which is previously used to protect users against session exhaustion problem that hurts when heap session table is used, which is common and is suggested by phpBB developers in the MySQL 3.x age. Unfortunately, the continued phpBB development has more and more (ab)use of the session table and simply rejecting anonymous session is no longer feasible, as it causes problem for many places in phpBB especially for its new features. Instead of using the patch, users have to re-create session table if they used heap session table in the past, to prevent the DoS problem. This would not cause serious performance penalty for newer MySQL versions. Cheers, -- Xin LI [EMAIL PROTECTED] http://www.delphij.net/ FreeBSD - The Power to Serve! signature.asc Description: OpenPGP digital signature
Re: phpBB patch?
On 1/24/07, gareth [EMAIL PROTECTED] wrote: hi, portupgrade just upgraded phpbb-2.0.22 to phpbb-2.0.22_1. it used phpBB-2.0.22.tar.bz2 from www.phpbb.com (same as before), and as far as i can tell the .php files are the same (and naturally the database is untouched). does anyone know what this upgrade was meant to achieve? From the log[1]: --- Remove previously added security patch against session table exhaustion, as it causes more problems in the latest phpbb version. Users are advised to drop and re-create their session tables (phpbb_sessions, phpbb_sessions_keys) without using HEAP tables. --- Gordon [1] http://www.freshports.org/www/phpbb/ ___ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to [EMAIL PROTECTED]
