No. the bug was localised after the release of PHP 4.0.4 that is the reason
why we released the Security Advisory and PHP 4.0.4pl1 so if you think that
your servers could be affected you SHOULD upgrade to PHP 4.0.4pl1. It
affects ALL versions of PHP 4 up to PHP 4.0.4, you should read the Advisory
carefully and see the corresponding posts on Bugtraq for further
information. Security Focus is currently down but check on securityfocus.com
next week and read about it.
Basically:
Issues only affect mod_php4 in apache
=> The issue that php_value engine off can propagate
from virtual host to virtual host can be easy worked
around by adding php_value engine on to your DEFAULT
server config in httpd.conf.
=> The second issue where php directives can be set
from request to request has questionable real world
use but is still a security issue. IIRC you can
prevent this to a certain extent by disallowing
OPTIONS requests in your httpd.conf
Doing the above will not guarantee that your system is safe but it will
enable you check the security advisory and then make a decision on whether
an upgrade is necessary.
James
--
James Moore
PHP Quality Assurance Team
[EMAIL PROTECTED]
> -----Original Message-----
> From: moshe doron [mailto:[EMAIL PROTECTED]]
> Sent: 27 January 2001 19:30
> To: [EMAIL PROTECTED]
> Subject: [PHP-DEV] ooops, i thought it new one but:
>
>
> in debian, they say this bug affecting also 3pl1, but its not what i fount
> on php.net.
> can i be relexed if the servers i using runing 3pl1?
>
> --
>
>
> "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > pl2? This advisory has been out for over a week and the
> problem is fixed
> > in 4.0.4pl1
> >
> > -Rasmus
> >
> > On Sat, 27 Jan 2001, moshe doron wrote:
> >
> > > the problem here is, that i have problem to update some servers
> contains my
> > > code coz them not in my ownship, so i just have to test if this bug
> affected
> > > them (if yep i'll temply remove the the file from the server) but no
> > > explains.
> > >
> > > does that subject stay in darken till monday not to give hackers the
> chance
> > > to exploite it during the weekend?
> > >
> > > btw, ll' there official php4.0.4pl2 on php.net that time?
> > >
> > > tnx
> > > moshe.
> > >
> > > --
> > >
> > >
> > > "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > The reference is right in the link you posted. Just upgrade to the
> latest
> > > > version to address it.
> > > >
> > > > On Sat, 27 Jan 2001, moshe doron wrote:
> > > >
> > > > > http://freshmeat.net/news/2001/01/27/980597363.html
> > > > >
> > > > > where can i find any references?
> > > > >
> > > > > tnx
> > > > > moshe.
> > > > >
> > > > > --
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
> > > > >
> > > >
> > > >
> > > > --
> > > > PHP Development Mailing List <http://www.php.net/>
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
> > > >
> > >
> > >
> > >
> > > --
> > > PHP Development Mailing List <http://www.php.net/>
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
> > >
> >
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
