On Wed, Mar 06, 2002 at 12:50:01PM -0500, Blake Girardot <[EMAIL PROTECTED]>
wrote:
> its not all that complicated.
>
> download the php 4.1.2 source.
>
> check out a copy of php4/main/rfc1867.c from cvs.php.net
>
> replace the ~main/rfc1867.c in the 4.1.2 source with version 1.71.2.3 from
> cvs.php.net and carry on.
>
> both the folks from mitel and most of the posters on php-dev and to bug
> tracking system are not listening to the php.net developers.
>
> 4.1.2 fixed the security hole but left in a crashing bug.
A "crashing bug"? That's not a very useful diagnosis. I *think* you
mean it causes a segmentation fault (it will), but so will the bug
that opened the security hole, if you feed it the wrong data -- see
the proof-of-concept exploit sent to BUGTRAQ last night.
Are you sure that the "crashing bug" isn't an "execute supplied
shellcode bug"? We're not, so we're fixing it.
Personally, I think "known to crash, possibly remotely exploitable"
isn't "fixed", but if you disagree, it's your server.
-Rich
--
------------------------------ Rich Lafferty ---------------------------
Technical Support Engineer, Network Server Solutions Group
Mitel Networks, Ottawa, ON (613) 751-4404
---------------------------- [EMAIL PROTECTED] ------------------------
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
