Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
PHP vulnerable?
darren at davisononline
Apr 6, 2005, 5:17 PM
Post #1 of 3 (1431 views)
Permalink
rkhunter is reporting PHP (4.3.10) as "Vulnerable" on my server. I've
seen no GLSA's about it but 4.3.11 came out a week or so ago purporting
to fix some minor security issues [1]. It looks like at least two of
those minor issues are DoS attacks [2].

There are a couple of bugs open in bugzilla, but one of the PHP
maintainers seems a bit reluctant to update the ebuild (some obscure
reference to the "state of PHP" and busy at Uni).

Does anyone know if these security issues/DoS are remotely exploitable
or potentially serious? I use it for SquirrelMail.

[1] http://www.php.net/release_4_3_11.php
[2] http://www.idefense.com/application/poi/display?id=222


Regards,
--
Darren Davison
Public Key: 0xDD356B0D

Attached Files:

Re: PHP vulnerable? [ In reply to ]
koon at gentoo
Apr 8, 2005, 4:48 AM
Post #2 of 3 (1369 views)
Permalink
Darren Davison wrote:

> rkhunter is reporting PHP (4.3.10) as "Vulnerable" on my server. I've
> seen no GLSA's about it but 4.3.11 came out a week or so ago purporting
> to fix some minor security issues [1]. It looks like at least two of
> those minor issues are DoS attacks [2].
>
> There are a couple of bugs open in bugzilla, but one of the PHP
> maintainers seems a bit reluctant to update the ebuild (some obscure
> reference to the "state of PHP" and busy at Uni).
>
> Does anyone know if these security issues/DoS are remotely exploitable
> or potentially serious? I use it for SquirrelMail.
>
> [1] http://www.php.net/release_4_3_11.php
> [2] http://www.idefense.com/application/poi/display?id=222

See progress on bug 87517:
https://bugs.gentoo.org/show_bug.cgi?id=87517

The issues are either minor (affecting submodules like exif or fbsql) or
covered by previous known bugs (the unserialize thing that has been
improved since GLSA 200412-14, or the CURL thing that PHP developers
said they wouldn't fix and for which we printed a warning during the
merge). I don't think squirrelmail would be affected by any of those.

That said, we hope the PHP Gentoo maintainers will update the version
soon so that we can issue a GLSA about it.

--
Koon
Gentoo Linux Security

Attached Files:

Re: PHP vulnerable? [ In reply to ]
darren at davisononline
Apr 8, 2005, 6:34 AM
Post #3 of 3 (1376 views)
Permalink
On Fri, April 8, 2005 12:48, Thierry Carrez said:

> See progress on bug 87517:
> https://bugs.gentoo.org/show_bug.cgi?id=87517

* nod

> The issues are either minor (affecting submodules like exif or fbsql) or
> covered by previous known bugs (the unserialize thing that has been
> improved since GLSA 200412-14, or the CURL thing that PHP developers
> said they wouldn't fix and for which we printed a warning during the
> merge). I don't think squirrelmail would be affected by any of those.
>
> That said, we hope the PHP Gentoo maintainers will update the version
> soon so that we can issue a GLSA about it.

OK, thanks very much for your comments Thierry.



--
Darren Davison
Public Key: 0xDD356B0D


--
gentoo-security@gentoo.org mailing list

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal