Paul Schmehl <[EMAIL PROTECTED]> wrote:

> --On October 15, 2006 7:49:55 PM +0200 Thomas <[EMAIL PROTECTED]> 
> wrote:
> >
> > Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
> > can use:
> > make -DDISABLE_VULNERABILITIES install clean
> > It will ignore the vuxml entry.
> >
> No offense, but anybody who *deliberately* installs a vulnerable version 
> of php in *today's* world, is an absolute fool.  Some of us are *stuck* 
> with the vulnerable version, because we installed before the vulnerability 
> was found.  We can't go back because previous versions are *also* 
> vulnerable.

Have you looked at the vulnerability?  There are only certian coding
instances that would actually open this up to any attack vector.  Since
the bug is in unserialize, it's pretty easy audit a program to ensure
that it isn't vulnerable.

"absolute fool" seems a little extreme.

Bill Moran

Six men came to kill me one time, and the best of them carried this. It's
a Callahan fullbore autolock, customized trigger and double cartridge
thourough-gage.  It's my very favorite gun.

        Jayne Cobb

_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to