Date: Thu, 01 May 2008 10:27:09 +0200 From: Gunther Mayer <gunther.mayer@googlemail.com> To: freebsd-security@freebsd.org Subject: validity of php 5.2.1 vulnerability Message-ID: <48197EDD.7030308@gmail.com>
next in thread | raw e-mail | index | archive | help
Hi there, Some days ago there was an integer overflow vulnerability posted for php 5.2.1 and earlier (http://www.freebsd.org/ports/portaudit/f6377f08-12a7-11dd-bab7-0016179b2dd5.html). I immediately upgraded my php to 5.2.1_1 but portaudit still complains that the vulnerability still exists: [root@myserver ~]# portaudit -a Affected package: php5-5.2.5_1 Type of problem: php -- integer overflow vulnerability. Reference: <http://www.FreeBSD.org/ports/portaudit/f6377f08-12a7-11dd-bab7-0016179b2dd5.html>; 1 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. However, I cannot upgrade any further as 5.2.5_1 *is* the version that was supposed to fix this: [root@myserver ~]# portupgrade -nv php5 ---> Session started at: Thu, 01 May 2008 10:19:33 +0200 ** No need to upgrade 'php5-5.2.5_1' (>= php5-5.2.5_1). (specify -f to force) ---> ** Upgrade tasks 1: 0 done, 1 ignored, 0 skipped and 0 failed ---> Listing the results (+:done / -:ignored / *:skipped / !:failed) - lang/php5 (php5-5.2.5_1) ---> Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed ---> Session ended at: Thu, 01 May 2008 10:19:36 +0200 (consumed 00:00:02) Looking closer at the information given in the above URL the vulnerability specifies that all "php5 >0" is affected, which to me means that all php5 versions until all eternity will be marked vulnerable, not only those <= 5.2.1. Can somebody please fix the CVE or tell me what I'm doing wrong? I don't want to get into the habit of ignoring portaudit reports as that's clearly *bad* practise. Gunther
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48197EDD.7030308>