RE: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
[snip] Well, trying to updrade on Slackware Linux 8.0 and compiling with the GD (1.8.4) libraries are giving us some headaches. Some of what seems to be wrong; ... You're simply looking at the old PHP. You did stop/start Apache, right?... Cuz the new PHP won't kick in until you do. If so, almost for sure your installation of the new PHP binary is not happening correctly. Watch carefully when you do make install to see where your new copies go. Use locate modphp.so or whatever it is to find out where your old copies are. [/snip] We finally got this right yesterday afternoon, it ended up being, as Richard said, a directories problem. Ah well, live and learn :) The FreeBSD boxes went off without a hitch. Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Who said anything about M$? I don't use their crappy products so I don't have to deal with their security issues. I'm the one who brought up Microsoft, I'm saying it's a whole lot better then the alternatives. If PHP 4.2 is unsafe then why is it listed at the top of the page for download? There is not a shread of text saying do not use in production, no unsafe warnings whatsoever. How am I supposed to magically find the 'do not use' warnings? You have to magically find this by reading the messages on this list, not more then a month ago, someone asked was it considered stable for production use, and the answer was no. I was going to type a long rant about how you should test software or atleast wait a while for the kinks to be worked out of new versions instead of running cutting edge, but screw it, I'm not wasting any more time on this. It's not about that.. It's about the hell I've already been through with the new register_globals setting. Then two huge ass security holes following in the next couple of months after that. I know, there such bastards for releasing security patches to fix the holes they know about instead of burrying the evidence and denying a hole exists. If it doesn't bother you the hassles 'the php group' is putting me, you, and alot of others through then I guess that's just you. I can't help but get pissed about it. I did not have the time to do these upgrades, but now I have to make time. You know your right, the PHP group (god bless them) is out to get you, individually, they intentionally put security holes into the software, so they can go back later and make you patch your dozens of systems and make your life a living hell. And it's not just me who doesn't mind upgrading, it's just you who can't handle it. Adam Voigt [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Well, I'm not sure about the 'you get what you pay for'. Some paid for software has less support and documentation than PHP! Justin French [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Greg, Your attitude stinks. PHP is a FREE scripting language. Think about the amount of money you are probably charging hosting clients, or charging in web or programming services, or making in site revenue, or whatever way you 'commercially function' through PHP. The register globals 'imposition' IS more secure and encourages better coding practices... would you prefer they made the change now, or in 5 years when you have 100's more sites to fix. Better late than later. If you want something that will never have a bug, never have a security hole, performs perfectly from day 1, never has an upgrade/change, and will never change for the better, you are utterly dreaming! The difference in this case is that the PHP Group aren't emptying your wallet. Sorry to hear that you'll have to do some more upgrading, but I'd keep the complaining to yourself -- you get what you pay for springs to mind, but in the case of PHP, we get a whole lot more. Justin French on 23/07/02 2:55 AM, Greg Donald ([EMAIL PROTECTED]) wrote: Not only did I get to re-write all my apps the past few months because of the new register_globals default that was imposed by `the php group`... Now I get to upgrade my PHP install once a month or so cause of new security holes.. Yay! Wasn't this new register_globals setting supposed to enhance security? How would you like to be a sys admin with dozens of machines to upgrade before you can proceed with anythign else? Can anyone say Ruby? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Well, I'm not sure about the 'you get what you pay for'. Some paid for software has less support and documentation than PHP! In my experience, *ALL* paid-for software has less support and documentation than PHP. This is excluding support contracts for software you paid for -- Once you pay Oracle enough money for Support Contracts, they have pretty good support, from what I hear... :-) -- Like Music? http://l-i-e.com/artists.htm I'm looking for a PRO QUALITY two-input sound card supported by Linux (any major distro). Need to record live events (mixed already) to stereo CD-quality. Soundcard Recommendations? Software to handle the recording? Don't need fancy mixer stuff. Zero (0) post-production time. Just raw PCM/WAV/AIFF 16+ bit, 44.1KHz, Stereo audio-to-disk. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Hey man, if you can't stand the heat, get out of the freakin sun. Atleast PHP tells you about holes, not like Microsoft who will fix it six months down the line (if they even admit a hole exists). Plus, if your running anything past 4.1.2 on production systems, it's your own damn fault because several times it has been said that the 4.2 series wasn't considered safe for production use. And by the way, don't want to use PHP anymore because of this? Then don't. PHP doesn't need you, the rest of the people who can handle an update without whining will be fine. Adam Voigt [EMAIL PROTECTED] On Mon, 2002-07-22 at 12:55, Greg Donald wrote: On Mon, 22 Jul 2002, Marko Karppinen wrote: PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Not only did I get to re-write all my apps the past few months because of the new register_globals default that was imposed by `the php group`... Now I get to upgrade my PHP install once a month or so cause of new security holes.. Yay! Wasn't this new register_globals setting supposed to enhance security? How would you like to be a sys admin with dozens of machines to upgrade before you can proceed with anythign else? Can anyone say Ruby? -- Greg Donald http://destiney.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Well from the sound of it, it's a quick painless process to upgrade php to the newest version using the patch. Can anyone that has done it comment on the complexities of the upgrade? Im just going on what it says on the php homepage... Rick When you walk to the edge of all the light you have and take that first step into the darkness of the unknown you must believe that one of two things will happen: There will be something solid for you to stand upon or, you will be taught how to fly. - Patrick Overton From: Greg Donald [EMAIL PROTECTED] Date: Mon, 22 Jul 2002 12:30:50 -0500 (CDT) To: [EMAIL PROTECTED] Subject: Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 On 22 Jul 2002, Adam Voigt wrote: Hey man, if you can't stand the heat, get out of the freakin sun. Atleast PHP tells you about holes, not like Microsoft who will fix it six months down the line (if they even admit a hole exists). Plus, if Who said anything about M$? I don't use their crappy products so I don't have to deal with their security issues. your running anything past 4.1.2 on production systems, it's your own damn fault because several times it has been said that the 4.2 series wasn't considered safe for production use. And by the way, don't want to If PHP 4.2 is unsafe then why is it listed at the top of the page for download? There is not a shread of text saying do not use in production, no unsafe warnings whatsoever. How am I supposed to magically find the 'do not use' warnings? use PHP anymore because of this? Then don't. PHP doesn't need you, the rest of the people who can handle an update without whining will be fine. It's not about that.. It's about the hell I've already been through with the new register_globals setting. Then two huge ass security holes following in the next couple of months after that. If it doesn't bother you the hassles 'the php group' is putting me, you, and alot of others through then I guess that's just you. I can't help but get pissed about it. I did not have the time to do these upgrades, but now I have to make time. -- Greg Donald http://destiney.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Well from the sound of it, it's a quick painless process to upgrade php to the newest version using the patch. Can anyone that has done it comment on the complexities of the upgrade? Im just going on what it says on the php homepage... Nice and easy for me, I'm running it on windows, though. Just delete the old PHP folder, unzip and copy the new one, and restart IIS. (php.ini is elsewhere). This other guy needs to quit his freakin whining and just do his job. Or go use ASP...the choice is yours. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Heh ASP. Hehehehehe Matt Babineau MCWD / CCFD - e: [EMAIL PROTECTED] p: 603.943.4237 w: http://www.criticalcode.com PO BOX 601 Manchester, NH 03105 -Original Message- From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] Sent: Monday, July 22, 2002 1:52 PM To: Richard Baskett; PHP General Subject: Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1 Well from the sound of it, it's a quick painless process to upgrade php to the newest version using the patch. Can anyone that has done it comment on the complexities of the upgrade? Im just going on what it says on the php homepage... Nice and easy for me, I'm running it on windows, though. Just delete the old PHP folder, unzip and copy the new one, and restart IIS. (php.ini is elsewhere). This other guy needs to quit his freakin whining and just do his job. Or go use ASP...the choice is yours. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
[snip] Can anyone that has done it comment on the complexities of the upgrade? [/snip] Well, trying to updrade on Slackware Linux 8.0 and compiling with the GD (1.8.4) libraries are giving us some headaches. Some of what seems to be wrong; phpinfo() does not show new build times for each compile, not seemingly a caching problem (we have shut down browsers and then re-opened them to no avail as far as updated information). The configure command portion of phpinfo() does not show items we configured with PHP. GD throws errors; imageCreate() as an undefined function. We haven't moved on to our FreeBSD boxes yet. Jay -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Well, trying to updrade on Slackware Linux 8.0 and compiling with the GD (1.8.4) libraries are giving us some headaches. Some of what seems to be wrong; phpinfo() does not show new build times for each compile, not seemingly a caching problem (we have shut down browsers and then re-opened them to no avail as far as updated information). The configure command portion of phpinfo() does not show items we configured with PHP. GD throws errors; imageCreate() as an undefined function. You're simply looking at the old PHP. You did stop/start Apache, right?... Cuz the new PHP won't kick in until you do. If so, almost for sure your installation of the new PHP binary is not happening correctly. Watch carefully when you do make install to see where your new copies go. Use locate modphp.so or whatever it is to find out where your old copies are. I'm betting they don't match up. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] PHP Security Advisory: Vulnerability in PHP versions4.2.0 and 4.2.1
Greg, Your attitude stinks. PHP is a FREE scripting language. Think about the amount of money you are probably charging hosting clients, or charging in web or programming services, or making in site revenue, or whatever way you 'commercially function' through PHP. The register globals 'imposition' IS more secure and encourages better coding practices... would you prefer they made the change now, or in 5 years when you have 100's more sites to fix. Better late than later. If you want something that will never have a bug, never have a security hole, performs perfectly from day 1, never has an upgrade/change, and will never change for the better, you are utterly dreaming! The difference in this case is that the PHP Group aren't emptying your wallet. Sorry to hear that you'll have to do some more upgrading, but I'd keep the complaining to yourself -- you get what you pay for springs to mind, but in the case of PHP, we get a whole lot more. Justin French on 23/07/02 2:55 AM, Greg Donald ([EMAIL PROTECTED]) wrote: Not only did I get to re-write all my apps the past few months because of the new register_globals default that was imposed by `the php group`... Now I get to upgrade my PHP install once a month or so cause of new security holes.. Yay! Wasn't this new register_globals setting supposed to enhance security? How would you like to be a sys admin with dozens of machines to upgrade before you can proceed with anythign else? Can anyone say Ruby? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
