W dniu 2009-11-10 07:59, Matthew Seaman pisze:
Arek Czereszewski wrote:

I have on some web servers php4-gd port installed
and I am totally confused.
Portaudit says

Affected package: php4-gd-4.4.9
Type of problem: gd -- '_gdGetColors' remote buffer overflow

On this site is info about: 5.2.11 and 5.3.0

On Securityfocus is info also about 4.4.9
but on cve.mitre.org is not.

Any idea where is the true?
Are my servers with php4-gd are secure or not?

This is a bug in the underlying gd library rather than in PHP itself. There
are fixes to two related ports: if you've updated graphics/gd to the latest
version (gd-2.0.35_2,1), and built the latest port revision of the php5-gd
module (which is php5-gd-5.2.11_2) then those should have been secured.

However, the PHP4 version of the gd module is still at version
php4-gd-4.4.9, and doesn't seem to have been patched -- there is no patch
for CVE-2009-3546 in the php4 sources -- so it seems you are still
when using PHP4. This is to be expected: the PHP project is deprecating
and putting all their effort in to developing PHP5 instead. Patches may
be forthcoming eventually, but who knows when?

Basically, if you're running PHP4 on a public site then you should be
plans to upgrade to PHP5 ASAP.



So I need to upgrade php4 to php5.
Thank you for information.


Arek Czereszewski
arek (at) wup-katowice (dot) pl
"UNIX allows me to work smarter, not harder."
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to