PHP Attacks....
Marc Deslauriers
marcdeslauriers at videotron.ca
Wed Nov 9 22:21:27 UTC 2005
On Wed, 2005-11-09 at 17:04 -0500, James Kosin wrote:
> >>The CVE website states that CAN-2005-2498 is not the same as
> >>CAN-2005-1921; so, I think to reason; both need to be fixed if we are
> >>vulnerable.
> >
> >
> >Indeed. But sources referenced in RHSA-2005:564-15, where
> >CAN-2005-1751 and CAN-2005-1921 are mentioned, are explicitely
> >marked as outdated by RHSA-2005:748-05 (CAN-2005-2498) so the latest
> >presumably have fixes for all these. Source packages are somewhat
> >different for RHEL3 and RHEL4 so you possibly need a right fit for
> >FC1 and FC2.
> >
> >In my earlier remarks I meant that it does not look that any fix
> >is needed for RH7.3; simply because the code with problems is not
> >there.
> >
> >Yesterday updates for FC3 include also php-4.3.11-2.8.src.rpm
> >(and php-5.0.4-10.5.src.rpm for FC4).
> >
> > Michal
> >
> >--
> >fedora-legacy-list mailing list
> >fedora-legacy-list at redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-legacy-list
>
> Yes, but the release for FC3 doesn't have a patch for 2005-2498...
> They have a newer XML_RPC.tgz file.
> They also address CVE-2005-3353, CVE-2005-3388, CVE-2005-3389 and
> CVE-2005-3390...
> do we need to concern ourselves with these?
Right now, the worm that is going around is targeting CAN-2005-1921. FL
released updates for that in July.
Tonight, I'll build some packages that address all the other issues,
just in case. They will be located here for QA:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166943
Marc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20051109/c03980cf/attachment.sig>
More information about the fedora-legacy-list
mailing list