Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 15 Oct 2006 16:31:48 -0400
From:      DAve <dave.list@pixelhammer.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: PHP new vulnarabilities
Message-ID:  <45329AB4.1000508@pixelhammer.com>
In-Reply-To: <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local>
References:  <45322A1D.8070204@hadara.ps>	<20061015151215.15a4062e@loki.starkstrom.lan>	<200610151239.12127.freebsd@dfwlp.com> <453274C3.7090409@bsdunix.ch> <0F7C0CB4C34ECD44CCF3CDD0@paul-schmehls-powerbook59.local>

next in thread | previous in thread | raw e-mail | index | archive | help
Paul Schmehl wrote:
> --On October 15, 2006 7:49:55 PM +0200 Thomas <freebsdlists@bsdunix.ch> 
> wrote:
>>
>> Maybe the bug was not in your vuxml when you compiled php5-5.1.6_1. You
>> can use:
>> make -DDISABLE_VULNERABILITIES install clean
>> It will ignore the vuxml entry.
>>
> No offense, but anybody who *deliberately* installs a vulnerable version 
> of php in *today's* world, is an absolute fool.  Some of us are *stuck* 
> with the vulnerable version, because we installed before the 
> vulnerability was found.  We can't go back because previous versions are 
> *also* vulnerable.
> 
> But *deliberately* installing it when you *know* it's vulnerable - and 
> one of the most attacked applications on the internet?  Foolhardy 
> doesn't quite grasp the insanity of that.
> 

That is a bit extreme. I have a full workload, I put in about 60 hours a 
week (I work a lot of weekends, I'm working now). I have servers running 
all different version of apps. I can't go around upgrading everything at 
the drop of a hat. I would be divorced within a month.

If you read the security alerts carefully you will find many require a 
shell (We don't offer them to clients), some require a specific app to 
be running that you may not need (rm -f /usr/local/bin/vulnerable_app), 
and sometimes a simple code audit will tell you if you are vulnerable. 
It is also not uncommon that a security alert is issued for a problem 
that has not be proven in the wild.

There are plenty of reasons to not follow a security alert, many of them 
quite valid. Upgrading mission critical systems without throughly 
understanding the implications just because someone screamed SECURITY!, 
now that is foolhardy.

DAve

-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45329AB4.1000508>