Simply wonderful news:> But again, for design work, it isn't worth the trouble. I'm using SESSION variables $_POST, $_SESSION, and as long as they don't change, there's little point upgrading until the site is on-line. However, I will inform my IP to use all the latest versions.
I'm running Linux-Mandrake 8.2 and the distro's Apache, PHP, and PostgeSQL. I've rolled my own, but the distro's added features persuaded to use them. When the site is finished, I will 'roll-my-own' and upgrade. Unfortunately, PostgreSQL and PHP tend to like spreding themselves all over my hardrive. It took me quite a bit of time to get my first versions working together. So, as long as they haven't changed the functions, the vulnerablities are a moot point at this time. Good to be aware of them, however. Thanks for your concern. Regards, Andre On Tuesday 23 July 2002 10:42 pm, you wrote: > Yeah. Apache is vulneralbe to a buffer overflow in the chunked-encoding, > and PHP has (i think) a buffer overflow in the multipart/form-data POST > form handling. It might be a format string though... that just came out > this week. yesterday, i think. > > For dev you might want to consider using the CVS version- that's what I do. > And if you set up a script for the cron-tab or something you could get the > latest version overnight... Unfortunatly, Apache CVS is not open to the > public. > > On Tuesday 23 July 2002 17:58 pm, you wrote: > > Well, that would be nice! Sort of 'completes-my-day' :> > > So, both are vulnerable, eh? Great. > > > > Thanks for the warning -- but I'm using them for design only. Once the > > site is on-line, I'll be sure to use the upgraded versions. From what I > > read on-list, however, the current 'upgrades' have their problems too. > > Luckily, I'll be on-line later in the fall, so enough time might pass for > > the new PHP to stabilize. > > > > Regards, Andre > > > > On Tuesday 23 July 2002 08:47 pm, you wrote: > > > What do you guys think? Should we tell him he's running a vulnerable > > > version of PHP _and_ of Apache??? > > > > > > On Tuesday 23 July 2002 16:26 pm, Andre Dubuc wrote: > > > > Apache 1.3.23 + PHP 4.1.2 + PostgreSQl 7.2 > > > > <snipped> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
