Subject: Re: @stake Advisory: PHP3/PHP4 Logging Format String
To: , , <>
From: None <>
List: tech-pkg
Date: 10/16/2000 22:56:13
=09Time to update our php3 package?

=09=09=09=09       -- No hype required --

---------- Forwarded message ----------
Date: Fri, 13 Oct 2000 00:13:30 +0300
From: "[iso-8859-1] Jouko Pynn=F6nen" <jouko@SOLUTIONS.FI>
Subject: Re: @stake Advisory: PHP3/PHP4 Logging Format String
    Vulnerability (A              101200-1)

On Thu, 12 Oct 2000, @stake Advisories wrote:

> We contacted the PHP team on 10/3/2000 concerning this problem. We wanted
> to hold off releasing our advisory until a fix was available for PHP3
> since some users may not be able to easily upgrade to PHP4.  Fixes for
> PHP3 and PHP4 are now available. We are aware that Jouko Pynn=F6nen
> <> found this problem independantly but chose to releas=
> before the PHP3 fix was available.

The fix for PHP 3 seems to have been released about the same time as the
PHP 4 fix, ie. the day before my posting on this list:

 [   ]  php-3.0.17.tar.gz       11-Oct-2000 16:30   2.1M
 [   ]  php-4.0.3.tar.gz        11-Oct-2000 15:35   2.1M

I contacted the PHP team and vendor-sec list on 09/28/2000. The fix, by
the way, was first planned to be released as early as 10/05/2000. I didn't
mention the URL for PHP 3 fix in my posting which I should have done,
however finding it in the /distributions/ directory shouldn't be

IMHO after the first piece of information about a security flaw has been
released (such as the PHP security fix announcement), the sooner people
get to know the details and advice about solving the problem, the better;
pinpointing the exact bug is a matter of minutes for the "bad guys", by
using diff(1) on the sources if not otherwise.

Jouko Pynn=F6nen          Online Solutions Ltd       Secure your Linux -