Re: PHP Update .. details
Initially a few CVE numbers were assigned and then later withdrawn when it
became clear that the issues could only be exploited by a user who wrote a
malicious PHP script - not a remote issue, or too serious. (Given that if
you had the ability to write evil PHP code you cold just run 'system('rm
..');'.
-----------------
Just would like to draw your attention to the following page:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=248046
Basically, they claim that phpBB v2.0.11 running on PHP version < 4.3.10
becomes remotely vulnerable, and they claim there are exploits on the wild
-- which backs their claim, and makes it definitely a serious issue.
When PHP upgraded to 4.3.10, it's no longer vulnerable.
Being a layman, I'm not able to confirm that claim. However, the fact that
this is an official announcement from them, I think it's worth reading over
at least.
Hopefully Debian security team will be convinced to patch php4 package then.
Thanks,
Harry
Reply to: