Paranoid is fine but you can be assured that in cases like this as soon as
the bug is localised then the Dev team will fix the problem and as soon as
we have made sure the fix works and have tested it sufficently we issue a
security advisory and a path level/new release. Its better to be paranoid
than to be comprimised.
I personally would feel terrible if I knew that a bug in PHP that we knew
about had been exploited to steel information/credit cards etc and we hadnt
done everything we could to make sure the comunity and admins of systems
were informed.
James
> -----Original Message-----
> From: moshe doron [mailto:[EMAIL PROTECTED]]
> Sent: 27 January 2001 20:23
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP-DEV] ooops, i thought it new one but:
>
>
> thanks u all.
> i just became too pressured by freshmeet message, in the future i'll take
> more care before badger u with paranoid questions ;|
>
> moshe.
>
> --
>
>
> "Andi Gutmans" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Moshe,
> >
> > It's quite difficult to exploit this vulnerability without knowing your
> > servers setup. It is possible, but personally I wouldn't worry too much
> > about it although you should urge your ISP to upgrade to 4.0.4pl1.
> >
> > Andi
> >
> > At 08:07 PM 1/27/2001 +0000, James Moore wrote:
> > >No. the bug was localised after the release of PHP 4.0.4 that is the
> reason
> > >why we released the Security Advisory and PHP 4.0.4pl1 so if you think
> that
> > >your servers could be affected you SHOULD upgrade to PHP 4.0.4pl1. It
> > >affects ALL versions of PHP 4 up to PHP 4.0.4, you should read the
> Advisory
> > >carefully and see the corresponding posts on Bugtraq for further
> > >information. Security Focus is currently down but check on
> securityfocus.com
> > >next week and read about it.
> > >
> > >Basically:
> > > Issues only affect mod_php4 in apache
> > >
> > > => The issue that php_value engine off can propagate
> > > from virtual host to virtual host can be easy worked
> > > around by adding php_value engine on to your DEFAULT
> > > server config in httpd.conf.
> > >
> > > => The second issue where php directives can be set
> > > from request to request has questionable real world
> > > use but is still a security issue. IIRC you can
> > > prevent this to a certain extent by disallowing
> > > OPTIONS requests in your httpd.conf
> > >
> > >Doing the above will not guarantee that your system is safe but it will
> > >enable you check the security advisory and then make a decision on
> whether
> > >an upgrade is necessary.
> > >
> > >
> > >James
> > >--
> > >James Moore
> > >PHP Quality Assurance Team
> > >[EMAIL PROTECTED]
> > >
> > > > -----Original Message-----
> > > > From: moshe doron [mailto:[EMAIL PROTECTED]]
> > > > Sent: 27 January 2001 19:30
> > > > To: [EMAIL PROTECTED]
> > > > Subject: [PHP-DEV] ooops, i thought it new one but:
> > > >
> > > >
> > > > in debian, they say this bug affecting also 3pl1, but its not what i
> fount
> > > > on php.net.
> > > > can i be relexed if the servers i using runing 3pl1?
> > > >
> > > > --
> > > >
> > > >
> > > > "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
> > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > pl2? This advisory has been out for over a week and the
> > > > problem is fixed
> > > > > in 4.0.4pl1
> > > > >
> > > > > -Rasmus
> > > > >
> > > > > On Sat, 27 Jan 2001, moshe doron wrote:
> > > > >
> > > > > > the problem here is, that i have problem to update some servers
> > > > contains my
> > > > > > code coz them not in my ownship, so i just have to test if this
> bug
> > > > affected
> > > > > > them (if yep i'll temply remove the the file from the
> server) but
> no
> > > > > > explains.
> > > > > >
> > > > > > does that subject stay in darken till monday not to give hackers
> the
> > > > chance
> > > > > > to exploite it during the weekend?
> > > > > >
> > > > > > btw, ll' there official php4.0.4pl2 on php.net that time?
> > > > > >
> > > > > > tnx
> > > > > > moshe.
> > > > > >
> > > > > > --
> > > > > >
> > > > > >
> > > > > > "Rasmus Lerdorf" <[EMAIL PROTECTED]> wrote in message
> > > > > >
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > > > > The reference is right in the link you posted. Just
> upgrade to
> the
> > > > latest
> > > > > > > version to address it.
> > > > > > >
> > > > > > > On Sat, 27 Jan 2001, moshe doron wrote:
> > > > > > >
> > > > > > > > http://freshmeat.net/news/2001/01/27/980597363.html
> > > > > > > >
> > > > > > > > where can i find any references?
> > > > > > > >
> > > > > > > > tnx
> > > > > > > > moshe.
> > > > > > > >
> > > > > > > > --
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > > > To contact the list administrators, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > > To contact the list administrators, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > > To contact the list administrators, e-mail:
> > > > [EMAIL PROTECTED]
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > PHP Development Mailing List <http://www.php.net/>
> > > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > > To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > PHP Development Mailing List <http://www.php.net/>
> > > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > > For additional commands, e-mail: [EMAIL PROTECTED]
> > > > To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
> > >
> > >
> > >--
> > >PHP Development Mailing List <http://www.php.net/>
> > >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > >For additional commands, e-mail: [EMAIL PROTECTED]
> > >To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
> >
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > To contact the list administrators, e-mail: [EMAIL PROTECTED]
> >
>
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
