Re: php vulnerability

To: Rainer Dorsch <rainer.dorsch@informatik.uni-stuttgart.de>
Cc: debian-devel@lists.debian.org
Subject: Re: php vulnerability
From: Erich Schubert <erich@debian.org>
Date: Fri, 1 Mar 2002 17:48:45 +0100
Message-id: <[🔎] 20020301164845.GB7295@marvin.xmldesign.de>
In-reply-to: <[🔎] E16goXt-00057I-00@rai21.informatik.uni-stuttgart.de>
References: <[🔎] E16goXt-00057I-00@rai21.informatik.uni-stuttgart.de>

> I checked lwn.net and found that redhat, suse, and mandrake have made 
> available security patches. I am wondering, if Debian is not vulnerable, if 
> the patch is very closed to be release, or if we have to enable the described 
> work arounds.

Debian is reportedly vulnerable i've heard. (the security team is in
possession of code to exploit the vulnerability as well)

A fixed version of php4 is already in the unstable distribution. Users
of testing should install that one.
A proper fix for "stable" is underway; but it's more difficult to fix
this properly because of the age of the "stable" distribution I think.
Debian is getting slower with security updates due to the number of
different architectures it has to support. Most other distributions
release the fix for i386 immedeately; Debian usually compiles the
updates for all arch's and then releases the advisory (so it can contain
checksums for all architectures); building on architectures like mips
takes more time then on plain i386.

You should disable file uploads in the config file until the proper fix
is relased for stable. I'm sure the security team is preparing the fix
and advisory right now.

Greetings,
Erich

Reply to:

References:
- php vulnerability
  - From: Rainer Dorsch <rainer.dorsch@informatik.uni-stuttgart.de>

Prev by Date: Bug#136348: ITP: nms -- CGI scripts offered as a replacement for the scripts in Matt's Script Archive
Next by Date: moving gpgp from contrib/x11 to non-US (non-US/main)
Previous by thread: Re: php vulnerability
Next by thread: Re: Bug#92810: doc-rfc license
Index(es):
- Date
- Thread