http://qa.mandrakesoft.com/show_bug.cgi?id=4610
------- Additional Comments From [EMAIL PROTECTED] 2003-11-08 12:15 ------- Requires are: For the SRPM from updates: $ rpm -qp --requires php-4.1.2-1.1mdk.src.rpm bison byacc libgdbm2-devel zlib1-devel mm-devel pam-devel flex smtpdaemon rpmlib(CompressedFileNames) <= 3.0.4-1 For binary RPMs: $ rpm -qp --requires php-4.1.2-1.1mdk.i586.rpm php-common = 4.1.2-1.1mdk rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 ld-linux.so.2 libcrypt.so.1 libc.so.6 libdl.so.2 libintl.so.1 libm.so.6 libnsl.so.1 libpam.so.0 libphp_common-4.0.6.so.0 libpthread.so.0 libresolv.so.2 libz.so.1 libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libpthread.so.0(GLIBC_2.0) $ rpm -qp --requires php-common-4.1.2-1.1mdk.i586.rpm /bin/sh /sbin/ldconfig rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 ld-linux.so.2 libcrypt.so.1 libc.so.6 libdl.so.2 libintl.so.1 libm.so.6 libnsl.so.1 libpam.so.0 libpthread.so.0 libresolv.so.2 libz.so.1 libcrypt.so.1(GLIBC_2.0) libc.so.6(GLIBC_2.0) libc.so.6(GLIBC_2.1) libc.so.6(GLIBC_2.1.3) libc.so.6(GLIBC_2.2) libdl.so.2(GLIBC_2.0) libdl.so.2(GLIBC_2.1) libm.so.6(GLIBC_2.0) libnsl.so.1(GLIBC_2.0) libpthread.so.0(GLIBC_2.0) libpthread.so.0(GLIBC_2.2) libresolv.so.2(GLIBC_2.0) libresolv.so.2(GLIBC_2.2) $ rpm -qp --requires php-devel-4.1.2-1.1mdk.i586.rpm libtool php-common = 4.1.2-1.1mdk php = 4.1.2-1.1mdk rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(CompressedFileNames) <= 3.0.4-1 -- Configure bugmail: http://qa.mandrakesoft.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. ------- Reminder: ------- assigned_to: [EMAIL PROTECTED] status: NEW creation_date: description: We've installed the security updates for PHP a few days ago on out Mandrake 8.2 www server. Today, we've noticed that our web application fails to send mails. In /var/log/messages we can see the following error: "mail() is not supported in this PHP build" It seems that mail support was left out when compiling the package... :( The description on MandrakeUpdate says: "A vulnerability was discovered in the transparent session ID support in PHP4 prior to version 4.3.2. It did not properly escape user- supplied input prior to inserting it in the generated web page. This could be exploited by an attacker to execute embedded scripts within the context of the generated HTML (CAN-2003-0442). As well, two vulnerabilities had not been patched in the PHP packages included with Mandrake Linux 8.2: The mail() function did not filter ASCII control filters from its arguments, which could allow an attacker to modify the mail message content (CAN-2002-0986). Another vulnerability in the mail() function would allow a remote attacker to bypass safe mode restrictions and modify the command line arguments passed to the MTA in the fifth argument (CAN-2002-0985). All users are encouraged to upgrade to these patched packages." Well, disabling mail() completely is not acceptable solution! There are applications that depend on this functionality. I hop this is just a typo in RPM package, not the policy of this security fix...
