Subject: php and audit-packages
To: None <tech-pkg@NetBSD.org>
From: Geert Hendrickx <ghen@telenet.be>
List: tech-pkg
Date: 04/24/2007 09:37:29
Hi,
can we please do something about this one please:
Package php-4.4.6 has a privilege-escalation vulnerability, see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5178
I've been getting this every day from too many machines for way too long now.
It's a stupid open_basedir bypass which, according to the original advisory[1],
cannot really be fixed without redesigning PHP, but worked around trivially (if
you are using open_basedir at all). So I suggest we remove this entry from
pkg-vulnerabilities, and add some general security note to the php4 and php5
MESSAGE files, with a link to this advisory[1] and maybe to PHP.net's Security
pages[2] as well.
What do you think?
Geert
[1] http://www.hardened-php.net/advisory_082006.132.html
[2] http://www.php.net/Security