PHP vulnerabilities?
Marc Deslauriers
marcdeslauriers at videotron.ca
Sat Dec 18 16:31:19 UTC 2004
On Sat, 2004-12-18 at 07:31 +0200, Pekka Savola wrote:
> That is the easiest way. Has anyone actually looked, btw, how well
> the security patch against 4.3.9 (e.g., from OpenPKG) applies to 4.1.2
> (RHL73) or php 4.2 (RHL9) ?
>
I took a look at 4.1.2 using Red Hat's test patches from bugzilla as a
reference:
CAN-2004-1065 applies to 4.1.2, probably needs a new patch made
CAN-2004-1018 applies to 4.1.2, needs a new patch made
CAN-2004-1019 is unknown. The unserialize() function in 4.1.2 is
completely different, the vulnerability may not even exist. Although
someone will have to use the POC and test it.
CAN-2004-1063 and CAN-2004-1064 seem to apply only to threaded php
servers. Red Hat is not patching php in RHEL as it is not build to
support threads. I haven't checked if php in rh7.3, rh9 or fc1 is built
to support threads or not.
Marc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20041218/02f04b77/attachment.sig>
More information about the fedora-legacy-list
mailing list