thanks u all.
i just became too pressured by freshmeet message, in the future i'll take
more care before badger u with paranoid questions ;|
moshe.
--
"Andi Gutmans" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Moshe,
>
> It's quite difficult to exploit this vulnerability without knowing your
> servers setup. It is possible, but personally I wouldn't worry too much
> about it although you should urge your ISP to upgrade to 4.0.4pl1.
>
> Andi
>
> At 08:07 PM 1/27/2001 +0000, James Moore wrote:
> >No. the bug was localised after the release of PHP 4.0.4 that is the
reason
> >why we released the Security Advisory and PHP 4.0.4pl1 so if you think
that
> >your servers could be affected you SHOULD upgrade to PHP 4.0.4pl1. It
> >affects ALL versions of PHP 4 up to PHP 4.0.4, you should read the
Advisory
> >carefully and see the corresponding posts on Bugtraq for further
> >information. Security Focus is currently down but check on
securityfocus.com
> >next week and read about it.
> >
> >Basically:
> > Issues only affect mod_php4 in apache
> >
> > => The issue that php_value engine off can propagate
> > from virtual host to virtual host can be easy worked
> > around by adding php_value engine on to your DEFAULT
> > server config in httpd.conf.
> >
> > => The second issue where php directives can be set
> > from request to request has questionable real world
> > use but is still a security issue. IIRC you can
> > prevent this to a certain extent by disallowing
> > OPTIONS requests in your httpd.conf
> >
> >Doing the above will not guarantee that your system is safe but it will
> >enable you check the security advisory and then make a decision on
whether
> >an upgrade is necessary.
> >
> >
> >James
> >--
> >James Moore
> >PHP Quality Assurance Team
> >[EMAIL PROTECTED]
> >
> > > -----Original Message-----
> > > From: moshe doron [mailto:[EMAIL PROTECTED]]
> > > Sent: 27 January 2001 19:30
> > > To: [EMAIL PROTECTED]
> > > Subject: [PHP-DEV] ooops, i thought it new one but:
> > >
> > >
> > > in debian, they say this bug affecting also 3pl1, but its not what i
fount
> > > on php.net.
> > > can i be relexed if the servers i using runing 3pl1?
> > >
> > > --
> > >
> > >
> > > "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > pl2? This advisory has been out for over a week and the
> > > problem is fixed
> > > > in 4.0.4pl1
> > > >
> > > > -Rasmus
> > > >
> > > > On Sat, 27 Jan 2001, moshe doron wrote:
> > > >
> > > > > the problem here is, that i have problem to update some servers
> > > contains my
> > > > > code coz them not in my ownship, so i just have to test if this
bug
> > > affected
> > > > > them (if yep i'll temply remove the the file from the server) but
no
> > > > > explains.
> > > > >
> > > > > does that subject stay in darken till monday not to give hackers
the
> > > chance
> > > > > to exploite it during the weekend?
> > > > >
> > > > > btw, ll' there official php4.0.4pl2 on php.net that time?
> > > > >
> > > > > tnx
> > > > > moshe.
> > > > >
> > > > > --
> > > > >
> > > > >
> > > > > "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
> > > > >
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > > The reference is right in the link you posted. Just upgrade to
the
> > > latest
> > > > > > version to address it.
> > > > > >
> > > > > > On Sat, 27 Jan 2001, moshe doron wrote:
> > > > > >
> > > > > > > http://freshmeat.net/news/2001/01/27/980597363.html
> > > > > > >
> > > > > > > where can i find any references?
> > > > > > >
> > > > > > > tnx
> > > > > > > moshe.
> > > > > > >
> > > > > > > --
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > > To contact the list administrators, e-mail:
> > > [EMAIL PROTECTED]
> > > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > To contact the list administrators, e-mail:
> > > [EMAIL PROTECTED]
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > To contact the list administrators, e-mail:
> > > [EMAIL PROTECTED]
> > > > >
> > > >
> > > >
> > > > --
> > > > PHP Development Mailing List <http://www.php.net/>
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > To contact the list administrators, e-mail:
[EMAIL PROTECTED]
> > > >
> > >
> > >
> > >
> > > --
> > > PHP Development Mailing List <http://www.php.net/>
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > To contact the list administrators, e-mail:
[EMAIL PROTECTED]
> >
> >
> >--
> >PHP Development Mailing List <http://www.php.net/>
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
> >To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
