Re: [PHP] Security patch from 4.3.8 to 4.3.9
Jason Wong wrote: On Thursday 14 October 2004 00:55, Jay Blanchard wrote: Looking at http://www.php/net/downloads I do not see one. Maybe that's why the OP asked? Anyway I don't see the reason why one would want a patch. Surely bandwidth can't be an issue? And applying a patch would most certainly mean taking the webserver offline briefly as would a full upgrade. That's true, but the reason is that I had an issue last time I upgrade (from 4.3.4 to 4.4.8), not a big one, but enough to force the rollback and retry after analyzing and solving the cause. It was a change in the values accepted by open_basedir that triggered my problem. Well.. that's why I prefer patching to upgrading. Looking in the CVS I found this, but I am not sure if that is ALL the change needed to fix the security bug. http://cvs.php.net/diff.php/php-src/main/php_variables.c?r1=1.45.2.6r2=1.45.2.7ty=u Saludos! Federico Petronio -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security patch from 4.3.8 to 4.3.9
Steve Brown wrote: Hello, I would like to know if there is a patch just for the security fix from PHP-4.3.8 to PHP-4.3.9 and where can I found it. 4.3.8 - 4.3.9 is not a security fix, i.e. there are no security holes closed in 4.3.9. From the 4.3.9 announce: PHP Development Team is proud to announce the immediate release of PHP 4.3.9. This is a maintenance release that in addition to over 50 non-critical bug fixes, addresses a problem with GPC input processing. According to these: http://secunia.com/advisories/12560/ http://www.securityfocus.com/bid/11334 http://www.securityfocus.com/bid/11190 There are security bugs in 4.3.9 and, at least Secunia, reports that are solved in 4.3.9. the addresses a problem with GPC input processing is related to one of the bugs. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security patch from 4.3.8 to 4.3.9
* Thus wrote Federico Petronio: ... Well.. that's why I prefer patching to upgrading. Looking in the CVS I found this, but I am not sure if that is ALL the change needed to fix the security bug. http://cvs.php.net/diff.php/php-src/main/php_variables.c?r1=1.45.2.6r2=1.45.2.7ty=u I'd strongly discourage applying random patches on files. A fix for a file may be due to a result of another change elsewhere, which could potentially cause more problems. Curt -- Quoth the Raven, Nevermore. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Security patch from 4.3.8 to 4.3.9
[snip] Hello, I would like to know if there is a patch just for the security fix from PHP-4.3.8 to PHP-4.3.9 and where can I found it. [/snip] Looking at http://www.php/net/downloads I do not see one. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security patch from 4.3.8 to 4.3.9
On Thursday 14 October 2004 00:55, Jay Blanchard wrote: [snip] Hello, I would like to know if there is a patch just for the security fix from PHP-4.3.8 to PHP-4.3.9 and where can I found it. [/snip] Looking at http://www.php/net/downloads I do not see one. Maybe that's why the OP asked? Anyway I don't see the reason why one would want a patch. Surely bandwidth can't be an issue? And applying a patch would most certainly mean taking the webserver offline briefly as would a full upgrade. -- Jason Wong - Gremlins Associates - www.gremlins.biz Open Source Software Systems Integrators * Web Design Hosting * Internet Intranet Applications Development * -- Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general -- /* The first version always gets thrown away. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php