[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PHP Update .. details

Initially a few CVE numbers were assigned and then later withdrawn when it became clear that the issues could only be exploited by a user who wrote a malicious PHP script - not a remote issue, or too serious. (Given that if you had the ability to write evil PHP code you cold just run 'system('rm ..');'.

Just would like to draw your attention to the following page:

Basically, they claim that phpBB v2.0.11 running on PHP version < 4.3.10 becomes remotely vulnerable, and they claim there are exploits on the wild -- which backs their claim, and makes it definitely a serious issue.

When PHP upgraded to 4.3.10, it's no longer vulnerable.

Being a layman, I'm not able to confirm that claim. However, the fact that this is an official announcement from them, I think it's worth reading over at least.
Hopefully Debian security team will be convinced to patch php4 package then.


Reply to: