PHP 4.3.8 Security Fix situation?

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Wed Jul 14 22:35:59 UTC 2004


Am Do, den 15.07.2004 schrieb Andy Green um 0:17:

> I hired a dedicated Internet-connected server a few weeks ago based on Fedora, 
> I had a very positive experience administering it since I use Fedora all day 
> every day here anyway.  (I was surprised it came with unpatched original FC1, 
> without any firewall set up).  It does nightly yum update now and is 
> tightened up. However I am using PHP/Apache on this server out on to the 
> Internet and it is worrying to be in a race.

Right, running a machine on public net you have to worry about each
vulnerability which occurs to be a good administrator.

Delivery of not updated original distributions is unfortunately some
kind of common. About your worry missing a firewall set up, I don't
think a firewall makes sense on a dedicated server. What do you want to
prevent with it? Of course, I can imagine specific setups where specific
iptables rules make sense, but a default setup does not need a
firewalling. Either you want to offer services like i.e. webhosting with
Apache and want to be able to administer the server through SSH, or you
won't. So run only the services (daemons) you need and stop the others.
No need to block any port then.

> > And Andy, the bugzilla report is fresh and open. Just don't know whether
> > Mark J. Cox (Security Response Team) is a Redhat guy. At least the
> > report is assigned to Joe Orton who is responsible for Apache too.
> 
> Of course a lot of bad guys will be interested in such an exploit and be 
> working hard too... let's hope we see an update tomorrow.

Yes, it is a current cat & mice game. Actually take care the you did not
set register_globals to on in /etc/php.ini. It is off by default and
should stay so.

> Andy

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) Athlon CPU kernel 2.6.6-1.435.2.3.uml
Serendipity 00:28:27 up 1 day, 22:10, load average: 1.00, 1.10, 1.17 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040715/6fdb0e36/attachment-0001.sig>


More information about the fedora-list mailing list