php4 unserialize vulnerability in stable

To: debian-user@lists.debian.org
Subject: php4 unserialize vulnerability in stable
From: Guillermo Pereyra Irujo <gpirujo@comtron.com.ar>
Date: Wed, 12 Jan 2005 18:05:55 -0300
Message-id: <[🔎] 1105563955.41e5913328013@www.leomimail.com.ar>

Some weeks ago a vulnerability in functions serialize & unserialize of PHP4 < 
4.3.10 was announced. Every distribution I've seen has updated its version to 
4.3.10. I understand that Debian won't make such a change, but I haven't even 
seen a comment on this: whether Debian's specific version (currently 4.3.10-
7.0.1) is actually vulnerable, posible temporary solutions, etc. There are no 
security announces on this topic and it is not mentioned either in the not-
vulnerable list.

Could anyone give me some information on this?
Is there any other way to solve this than overwriting Debian's PHP with a 
vanilla 4.3.10 compiled-from-source PHP?

Thanks a lot!

-- 
Guillermo Pereyra Irujo
Tandil, Argentina





-------------------------------------------------------
Este mensaje ha sido enviado desde www.LeoMiMail.com.ar

Reply to:

Prev by Date: openoffice fails with relocation error
Next by Date: Re: Vanished kernel.
Previous by thread: Re: openoffice fails with relocation error (temporary solution)
Next by thread: FTP proxy problems (Was: Help please)
Index(es):
- Date
- Thread