On Thu, 28 Feb 2002, Darrell May wrote: > > Peter Samuel <[EMAIL PROTECTED]> said: > > > The developers of PHP have released details regarding a vulnerability > with > > all versions of PHP prior to their current development stream 4.2.0-dev. > > > > Should we not look to installing http://rpms.arvin.dk/php/rh71/ PHP 4 RPMs > which states: > > The PHP 4.0.6 packages found here should not be vulnerable to the file > upload security bug because the fix for PHP 4.0.6 has been applied.
The fix for PHP as released by the PHP developers is known to be ineffective. (See the PHP bugs lists for more explicit details). We haven't had a chance to examine Arvin's patch to see whether he has applied the broken fix or whether his fix is more effective. We also know that the recent RedHat release (announced today) which purports to fix the problem is also unsatisfactory as it simply implements the PHP developers broken fix. Until we have concrete evidence that a true fix is available we are advising people to disable php file uploads as per the announcement I sent out (also available from www.e-smith.org). We are not recommending any further action at this time. -- Regards Peter ---------- Peter Samuel, Senior Systems Administrator [EMAIL PROTECTED] http://www.e-smith.org (development) http://www.e-smith.com (corporate) Phone: +1 613 368 4398 Fax: +1 613 564 7739 Mitel Networks, 1500-150 Metcalfe St, Ottawa, ON K2P 1P1 Canada "If you kill all your unhappy customers, you'll only have happy ones left" -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
