Subject: audit-package and php 4.1.2
To: None <>
From: Manuel Bouyer <>
List: tech-security
Date: 03/06/2003 15:50:51
there is an entry in /pub/NetBSD/packages/distfiles/vulnerabilities
for php < 4.2.3nb2:
php<4.2.3nb2            remote-code-execution

However, from this advisatory, 4.1.2 is safe, and this is also confirmed
by the commit message for this entry:
php4 < 4.2.3nb2 has a potential buffer overflow:
(actually 4.1.3 ... 4.2.3nb2, but I didn't know how to express that)

I'd like to solve this, because 4.1.2 are the binary packages provided
for the 1.6 pkgsrc branch, and I think it's especially bad to give false
positive on them. Is there a better way than adding multiple entries ?
Is syntax like
allowed ?

Manuel Bouyer, LIP6, Universite Paris VI. 
     NetBSD: 24 ans d'experience feront toujours la difference