Darren Davison wrote: > rkhunter is reporting PHP (4.3.10) as "Vulnerable" on my server. I've > seen no GLSA's about it but 4.3.11 came out a week or so ago purporting > to fix some minor security issues [1]. It looks like at least two of > those minor issues are DoS attacks [2]. > > There are a couple of bugs open in bugzilla, but one of the PHP > maintainers seems a bit reluctant to update the ebuild (some obscure > reference to the "state of PHP" and busy at Uni). > > Does anyone know if these security issues/DoS are remotely exploitable > or potentially serious? I use it for SquirrelMail. > > [1] http://www.php.net/release_4_3_11.php > [2] http://www.idefense.com/application/poi/display?id=222
See progress on bug 87517: https://bugs.gentoo.org/show_bug.cgi?id=87517 The issues are either minor (affecting submodules like exif or fbsql) or covered by previous known bugs (the unserialize thing that has been improved since GLSA 200412-14, or the CURL thing that PHP developers said they wouldn't fix and for which we printed a warning during the merge). I don't think squirrelmail would be affected by any of those. That said, we hope the PHP Gentoo maintainers will update the version soon so that we can issue a GLSA about it. -- Koon Gentoo Linux Security
signature.asc
Description: OpenPGP digital signature
