-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At some point hitherto, Karl J. Runge hath spake thusly: > Call me "chicken little", but I am getting worried about the looming > Apache/PHP vulnerability out there: > > http://news.com.com/2100-1001-850752.html?tag=cd_mh > http://security.e-matters.de/advisories/012002.html > http://www.cert.org/advisories/CA-2002-05.html > > If you have a webserver on the internet with PHP I encourage you to > patch it NOW.
I'll go one better than that. If you use PHP, STOP. They have security bulletins released about once a week, it seems (o.k. I'm exaggerating A LITTLE). About the only "vendor" with more frequent releases is Microsoft... PHP might be a nice scripting language, but the developers really haven't shown any sort of track record that suggests they have a good handle on secure programming methods. I would advise against anyone using PHP until they manage to go a significant amount of time (say, maybe 6 months) without a security bulletin. Eventually, using PHP is bound to catch up with you. Unless of course you're willing to update PHP immediately, every time they release a new version. If you're that dilligent, you probably won't have a problem. > That would be worse than code red and a huge blow to Apache & OSS. :-( Apache isn't the problem... though Microsoft and their goonies will no doubt try to spin it that way. However, it's worth taking the time here to remind people again that writing secure, bug-free software is HARD, and no one is perfect (except maybe Dan J. Bernstien), so from time to time ANY software will have security updates; and if you manage a box with affected software, you do need to keep up with those updates. Security is EVERYONE's problem. - -- Derek Martin [EMAIL PROTECTED] - --------------------------------------------- I prefer mail encrypted with PGP/GPG! GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu Learn more about it at http://www.gnupg.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8hSVWdjdlQoHP510RAvbfAJ9YVzAcpVxipoBgtzS6cbx+DNXt+gCcCcfs IuppafgTLwXz43A7gHv0d1I= =SBzt -----END PGP SIGNATURE----- ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
