Paul Schmehl wrote:
--On October 15, 2006 7:49:55 PM +0200 Thomas <[EMAIL PROTECTED]> wrote:

Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
can use:
It will ignore the vuxml entry.

No offense, but anybody who *deliberately* installs a vulnerable version of php in *today's* world, is an absolute fool. Some of us are *stuck* with the vulnerable version, because we installed before the vulnerability was found. We can't go back because previous versions are *also* vulnerable.

But *deliberately* installing it when you *know* it's vulnerable - and one of the most attacked applications on the internet? Foolhardy doesn't quite grasp the insanity of that.

That is a bit extreme. I have a full workload, I put in about 60 hours a week (I work a lot of weekends, I'm working now). I have servers running all different version of apps. I can't go around upgrading everything at the drop of a hat. I would be divorced within a month.

If you read the security alerts carefully you will find many require a shell (We don't offer them to clients), some require a specific app to be running that you may not need (rm -f /usr/local/bin/vulnerable_app), and sometimes a simple code audit will tell you if you are vulnerable. It is also not uncommon that a security alert is issued for a problem that has not be proven in the wild.

There are plenty of reasons to not follow a security alert, many of them quite valid. Upgrading mission critical systems without throughly understanding the implications just because someone screamed SECURITY!, now that is foolhardy.


Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for

Maybe they forgot who made that choice possible.
_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to