Subject: php and audit-packages
To: None <tech-pkg@NetBSD.org>
From: Geert Hendrickx <firstname.lastname@example.org>
Date: 04/24/2007 09:37:29
can we please do something about this one please:
Package php-4.4.6 has a privilege-escalation vulnerability, see
I've been getting this every day from too many machines for way too long now.
It's a stupid open_basedir bypass which, according to the original advisory,
cannot really be fixed without redesigning PHP, but worked around trivially (if
you are using open_basedir at all). So I suggest we remove this entry from
pkg-vulnerabilities, and add some general security note to the php4 and php5
MESSAGE files, with a link to this advisory and maybe to PHP.net's Security
pages as well.
What do you think?