PHP Attacks....
James Kosin
jkosin at beta.intcomgrp.com
Wed Nov 9 22:04:27 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Michal Jaegermann wrote:
>On Wed, Nov 09, 2005 at 04:19:35PM -0500, James Kosin wrote:
>
>>>On Wed, Nov 09, 2005 at 11:22:28AM -0800, Jesse Keating wrote:
>>>
>>>>Does look like we need to patch this. RHEL issued an update,
>>>
>>>
>>>Do you mean that one from August?
>>>https://rhn.redhat.com/errata/RHSA-2005-748.html CAN ids between
>>>that one and http://www.securityfocus.com/bid/14088/info do not
>>>agree although the latest worm descriptions would suggest that
>>>RHSA-2005:748-05 is the correct one.
>>>
>>>Michal
>>>
>>>-- fedora-legacy-list mailing list fedora-legacy-list at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-legacy-list
>>
>>The CVE website states that CAN-2005-2498 is not the same as
>>CAN-2005-1921; so, I think to reason; both need to be fixed if we are
>>vulnerable.
>
>
>Indeed. But sources referenced in RHSA-2005:564-15, where
>CAN-2005-1751 and CAN-2005-1921 are mentioned, are explicitely
>marked as outdated by RHSA-2005:748-05 (CAN-2005-2498) so the latest
>presumably have fixes for all these. Source packages are somewhat
>different for RHEL3 and RHEL4 so you possibly need a right fit for
>FC1 and FC2.
>
>In my earlier remarks I meant that it does not look that any fix
>is needed for RH7.3; simply because the code with problems is not
>there.
>
>Yesterday updates for FC3 include also php-4.3.11-2.8.src.rpm
>(and php-5.0.4-10.5.src.rpm for FC4).
>
> Michal
>
>--
>fedora-legacy-list mailing list
>fedora-legacy-list at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-legacy-list
Yes, but the release for FC3 doesn't have a patch for 2005-2498...
They have a newer XML_RPC.tgz file.
They also address CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and
CVE-2005-3390...
do we need to concern ourselves with these?
James Kosin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFDcnJrkNLDmnu1kSkRA+XmAJ9cRRmpSE6m+bjQWiZOdiYo0CmcHwCdF1VZ
1ZQ1/u9FymgE24ucvb596H0=
=IX4H
-----END PGP SIGNATURE-----
--
Scanned by ClamAV - http://www.clamav.net
More information about the fedora-legacy-list
mailing list