Subject: Re: @stake Advisory: PHP3/PHP4 Logging Format String
To: , , <tech-security@netbsd.org>
From: None <abs@purplei.com>
List: tech-security
Date: 10/16/2000 22:56:13
  by mail.netbsd.org with SMTP; 16 Oct 2000 21:58:20 -0000
	Mon, 16 Oct 2000 22:56:13 +0100 (BST)
Date: Mon, 16 Oct 2000 22:56:13 +0100 (BST)
From: <abs@purplei.com>
To: <tech-pkg@netbsd.org>, <cjs@netbsd.org>, <tech-security@netbsd.org>
Subject: Re: @stake Advisory: PHP3/PHP4 Logging Format String             
 Vulnerability (A              101200-1) (fwd)
Message-ID: <Pine.NEB.4.29.9999.0010162254520.274-100000@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE

=09Time to update our php3 package?


=09=09David/absolute
=09=09=09=09       -- www.netbsd.org: No hype required --

---------- Forwarded message ----------
Date: Fri, 13 Oct 2000 00:13:30 +0300
From: "[iso-8859-1] Jouko Pynn=F6nen" <jouko@SOLUTIONS.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: @stake Advisory: PHP3/PHP4 Logging Format String
    Vulnerability (A              101200-1)

On Thu, 12 Oct 2000, @stake Advisories wrote:

> We contacted the PHP team on 10/3/2000 concerning this problem. We wanted
> to hold off releasing our advisory until a fix was available for PHP3
> since some users may not be able to easily upgrade to PHP4.  Fixes for
> PHP3 and PHP4 are now available. We are aware that Jouko Pynn=F6nen
> <jouko@solutions.fi> found this problem independantly but chose to releas=
e
> before the PHP3 fix was available.

The fix for PHP 3 seems to have been released about the same time as the
PHP 4 fix, ie. the day before my posting on this list:

 [   ]  php-3.0.17.tar.gz       11-Oct-2000 16:30   2.1M
 [   ]  php-4.0.3.tar.gz        11-Oct-2000 15:35   2.1M

I contacted the PHP team and vendor-sec list on 09/28/2000. The fix, by
the way, was first planned to be released as early as 10/05/2000. I didn't
mention the URL for PHP 3 fix in my posting which I should have done,
however finding it in the /distributions/ directory shouldn't be
difficult.

IMHO after the first piece of information about a security flaw has been
released (such as the PHP security fix announcement), the sooner people
get to know the details and advice about solving the problem, the better;
pinpointing the exact bug is a matter of minutes for the "bad guys", by
using diff(1) on the sources if not otherwise.


--
Jouko Pynn=F6nen          Online Solutions Ltd       Secure your Linux -
jouko@solutions.fi                                 http://www.secmod.com