PHP 4.3.8 Security Fix situation?

Andy Green fedora at warmcat.com
Wed Jul 14 22:17:14 UTC 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 14 July 2004 22:45, Alexander Dalloz wrote:
> Am Mi, den 14.07.2004 schrieb Andy Green um 23:18:
> > Simple upgrade from 4.3.7-4 to 4.3.8 did it for me, no patch merging
> > was necessary.
> >
> > I could not find any Fedora RPMs beyond the 4.3.7-4 in Development.  So
> > at the moment there is no updated RPM and we should recompile from the
> > 4.3.8 sources?  Or did I miss a secret place that is not Testing,
> > Development or Updates?

> But I think he took the SRC.RPM of PHP version 4.3.7-4 and exchanged in
> the spec file everything from 4.3.7 to the new PHP 4.3.8 release and
> rpmbuild that. So that means, that any patch does not need modification
> to fit the new sources.

Okay, I don't really know how to do that kind of RPM surgery, but I will see 
if I can do it, since I have built a simple RPM before it can't be much more 
complex.

I hired a dedicated Internet-connected server a few weeks ago based on Fedora, 
I had a very positive experience administering it since I use Fedora all day 
every day here anyway.  (I was surprised it came with unpatched original FC1, 
without any firewall set up).  It does nightly yum update now and is 
tightened up. However I am using PHP/Apache on this server out on to the 
Internet and it is worrying to be in a race.

> And Andy, the bugzilla report is fresh and open. Just don't know whether
> Mark J. Cox (Security Response Team) is a Redhat guy. At least the
> report is assigned to Joe Orton who is responsible for Apache too.

Of course a lot of bad guys will be interested in such an exploit and be 
working hard too... let's hope we see an update tomorrow.

- -Andy

- -- 
Automatic actions for USB cameras, cardreaders, memory sticks, MP3 players
http://warmcat.com/usbautocam
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA9bDqjKeDCxMJCTIRAtR0AJ9SOVMKrDAelGwlCkDJ0mKqrlHzEACfZVRx
UiIZ3yWHLXfJDZd90FrMfNU=
=+Ysg
-----END PGP SIGNATURE-----





More information about the fedora-list mailing list