Re: php4-gd
On Sat, Nov 21, 2009 at 01:23:39PM +0100, Ruben de Groot wrote: On Sat, Nov 14, 2009 at 11:39:34PM +0100, Roman Neuhauser typed: more like: you should have upgraded to PHP5 two years ago. PHP4 is dead, baby. it's dead... Like COBOL and FORTRAN are dead? ;) no, these languages are still alive (though not very hip). PHP4 has been abandoned by its sole vendor (the PHP project). there's no PHP4-2008, won't be. http://en.wikipedia.org/wiki/Fortran#Fortran_2008 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: php4-gd
On Sat, Nov 14, 2009 at 11:39:34PM +0100, Roman Neuhauser typed: more like: you should have upgraded to PHP5 two years ago. PHP4 is dead, baby. it's dead... Like COBOL and FORTRAN are dead? ;) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: php4-gd
On Sat, 21 Nov 2009 13:23:39 +0100 Ruben de Groot mai...@bzerk.org replied: Like COBOL and FORTRAN are dead? Maybe not DEAD, but definitely comatose. -- Jerry ges...@yahoo.com |=== |=== |=== |=== | A friend of mine won't get a divorce, because he hates lawyers more than he hates his wife. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: php4-gd
On Sat, 21 Nov 2009 13:23:39 +0100, Ruben de Groot mai...@bzerk.org wrote: On Sat, Nov 14, 2009 at 11:39:34PM +0100, Roman Neuhauser typed: more like: you should have upgraded to PHP5 two years ago. PHP4 is dead, baby. it's dead... Like COBOL and FORTRAN are dead? ;) More as... dead like the mainframe. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: php4-gd
On Tue, Nov 10, 2009 at 06:59:16AM +, Matthew Seaman wrote: Arek Czereszewski wrote: I have on some web servers php4-gd port installed and I am totally confused. Portaudit says Affected package: php4-gd-4.4.9 Basically, if you're running PHP4 on a public site then you should be making plans to upgrade to PHP5 ASAP. more like: you should have upgraded to PHP5 two years ago. PHP4 is dead, baby. it's dead... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
php4-gd
Hello, I have on some web servers php4-gd port installed and I am totally confused. Portaudit says Affected package: php4-gd-4.4.9 Type of problem: gd -- '_gdGetColors' remote buffer overflow vulnerability. Reference: http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html On this site is info about: 5.2.11 and 5.3.0 On Securityfocus is info also about 4.4.9 but on cve.mitre.org is not. Any idea where is the true? Are my servers with php4-gd are secure or not? Regards Arek -- Arek Czereszewski arek (at) wup-katowice (dot) pl UNIX allows me to work smarter, not harder. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: php4-gd
Arek Czereszewski wrote: Hello, I have on some web servers php4-gd port installed and I am totally confused. Portaudit says Affected package: php4-gd-4.4.9 Type of problem: gd -- '_gdGetColors' remote buffer overflow vulnerability. Reference: http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html On this site is info about: 5.2.11 and 5.3.0 On Securityfocus is info also about 4.4.9 but on cve.mitre.org is not. Any idea where is the true? Are my servers with php4-gd are secure or not? This is a bug in the underlying gd library rather than in PHP itself. There are fixes to two related ports: if you've updated graphics/gd to the latest version (gd-2.0.35_2,1), and built the latest port revision of the php5-gd module (which is php5-gd-5.2.11_2) then those should have been secured. However, the PHP4 version of the gd module is still at version php4-gd-4.4.9, and doesn't seem to have been patched -- there is no patch for CVE-2009-3546 in the php4 sources -- so it seems you are still vulnerable when using PHP4. This is to be expected: the PHP project is deprecating PHP4 and putting all their effort in to developing PHP5 instead. Patches may be forthcoming eventually, but who knows when? Basically, if you're running PHP4 on a public site then you should be making plans to upgrade to PHP5 ASAP. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: php4-gd
W dniu 2009-11-10 07:59, Matthew Seaman pisze: Arek Czereszewski wrote: Hello, I have on some web servers php4-gd port installed and I am totally confused. Portaudit says Affected package: php4-gd-4.4.9 Type of problem: gd -- '_gdGetColors' remote buffer overflow vulnerability. Reference: http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html On this site is info about: 5.2.11 and 5.3.0 On Securityfocus is info also about 4.4.9 but on cve.mitre.org is not. Any idea where is the true? Are my servers with php4-gd are secure or not? This is a bug in the underlying gd library rather than in PHP itself. There are fixes to two related ports: if you've updated graphics/gd to the latest version (gd-2.0.35_2,1), and built the latest port revision of the php5-gd module (which is php5-gd-5.2.11_2) then those should have been secured. However, the PHP4 version of the gd module is still at version php4-gd-4.4.9, and doesn't seem to have been patched -- there is no patch for CVE-2009-3546 in the php4 sources -- so it seems you are still vulnerable when using PHP4. This is to be expected: the PHP project is deprecating PHP4 and putting all their effort in to developing PHP5 instead. Patches may be forthcoming eventually, but who knows when? Basically, if you're running PHP4 on a public site then you should be making plans to upgrade to PHP5 ASAP. Cheers, Matthew Hi, So I need to upgrade php4 to php5. Thank you for information. Regards Arek -- Arek Czereszewski arek (at) wup-katowice (dot) pl UNIX allows me to work smarter, not harder. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org