CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
I received this CERT Advisory about 6 hours ago, regarding PHP.
The php website confirms the details: www.php.net
I think this is going to be a problem for us, due to the way
the Debian packaging works -
We upgraded to Apache 1.3.19-1 for security reasons.
Package dependencies meant we ended up with:
apache 1.3.19-1
mod_ssl 2.8.2-1
openssl 0.9.6a-3
libssl0.9.6 0.9.6a3
php4 4.0.5-2
php4-mysql 4.0.5-2
mysql-server 3.23.46-2
mysql-common 3.23.46-2
mysql-client 3.23.46-2
Getting all the cross-dependencies to work was difficult,
and we tried to get Apache 1.3.22 working, but the build
in test 1.3.22-5 is badly broken with an Apache bug from
some time ago, where QUERY_STRING is not populated when
using multiviews.
We originally selected Debian due to the granularity of the
packaging system, however stable is now lagging so far behind
the real world that we have been forced to do a lot of jiggery
pokey to get basic things like Apache/PHP4/MySQL/SSL to work.
I guess that the immediate solution in this case is for us to
try to get the unstable Apache 1.3.23 package + an updated
PHP4 4.2.1 package + MySQL, SSL etc to work. mmmm - aint
going to be quick to test this and roll it out into production,
and in the mean time, we have production servers running
a PHP4 that has a now widely known security issue. Oh - and
yes, we could go out of business and not accept data, but
methinks my tenure would be somewhat shortened if I propose
that at our emergency security meeting in an hours time!
Help?
Reply to: