RE: php-5.2.14 and security vulnerability

To: pkgsrc-users%netbsd.org@localhost <pkgsrc-users%netbsd.org@localhost>
Subject: RE: php-5.2.14 and security vulnerability
From: Joel Carnat <joel%carnat.net@localhost>
Date: Sun, 21 Nov 2010 14:29:43 +0100

Thank you.

I saw both 5.2.x and 5.3.x packages on nyftp.
So I binary-upgraded my packages with those (5.3).

What is the pkgsrc keyword to enable 5.3 ?
I tried "PKG_PHP_VERSION=53 make clean" but that didn't work.

Regards,
    Jo

-----Message initial-----
À:      Joel Carnat <joel%carnat.net@localhost>; 
Cc:     pkgsrc-users%netbsd.org@localhost; 
De:     Cem Kayali <cemkayali%eticaret.com.tr@localhost>
Envoyé: mer. 17-11-2010 01:03
Sujet:  Re: php-5.2.14 and security vulnerability
> 
> Hi,
> 
> PHP 5.2.14 Released! [22-Jul-2010]
> 
> This release marks the end of the active support for PHP 5.2. Following 
> this release the PHP 5.2 series will receive no further active bug 
> maintenance. Security fixes for PHP 5.2 might be published on a case by 
> cases basis. All users of PHP 5.2 are encouraged to upgrade to PHP 5.3.
> 
> 
> I suggest you to check security advisories, and if these advisiories are 
> for features that you will not enable, it would be no problem to use 
> 5.2.14 -- though 5.3 choice is better.
> 
> Regards,
> Cem
> 
> 
> 
> On 11/16/10 17:55, Joel Carnat wrote:
> > Hello,
> >
> > I was on my way to compile database/php5-ldap.
> > In that process, I encountered the following error:
> >   ===>  Checking for vulnerabilities in php-5.2.14
> >   Package php-5.2.14 has a multiple-vulnerabilities vulnerability, see 
> http://secunia.com/advisories/39675/
> >   Package php-5.2.14 has a denial-of-service vulnerability, see 
> http://secunia.com/advisories/41724/
> >   Package php-5.2.14 has a sensitive-information-exposure vulnerability, 
> > see 
> http://secunia.com/advisories/42135/
> >   ERROR: Define ALLOW_VULNERABLE_PACKAGES in mk.conf or IGNORE_URL in 
> pkg_install.conf(5) if this package is absolutely essential.
> >
> > Do we have a safe (hear not using ALLOW_VULNERABLE_PACKAGES ;) way to 
> > enable 
> PHP ?
> > I couldn't find any update notification on the CVS tree.
> >
> > Did I miss something ?
> >
> > TIA,
> >    Jo
> 
>

Follow-Ups:
- Re: php-5.2.14 and security vulnerability
  - From: OBATA Akio

References:
- Re: php-5.2.14 and security vulnerability
  - From: Cem Kayali

Prev by Date: Re: pkgsrc-wip dns trouble
Next by Date: Re: php-5.2.14 and security vulnerability
Previous by Thread: Re: php-5.2.14 and security vulnerability
Next by Thread: Re: php-5.2.14 and security vulnerability
Indexes:

Home | Main Index | Thread Index | Old Index