Subject: Re: php and audit-packages
To: None <tech-pkg@NetBSD.org>
From: Joerg Sonnenberger <joerg@britannica.bec.de>
List: tech-pkg
Date: 04/24/2007 13:21:20
On Tue, Apr 24, 2007 at 09:37:29AM +0200, Geert Hendrickx wrote:
> I've been getting this every day from too many machines for way too long now.
> It's a stupid open_basedir bypass which, according to the original advisory[1],
> cannot really be fixed without redesigning PHP, but worked around trivially (if
> you are using open_basedir at all). So I suggest we remove this entry from
> pkg-vulnerabilities, and add some general security note to the php4 and php5
> MESSAGE files, with a link to this advisory[1] and maybe to PHP.net's Security
> pages[2] as well.
I'm opposing to remove entries because they can't be fixed. I also don't
think an entry in the MESSAGE file raises the awareness well enough.
Sadly enough, enough people are using open_basedir and trusting it...
Joerg