Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 10 Nov 2009 08:46:59 +0100
From:      Arek Czereszewski <arek@wup-katowice.pl>
To:        freebsd-questions@freebsd.org
Subject:   Re: php4-gd
Message-ID:  <4AF91A73.7080904@wup-katowice.pl>
In-Reply-To: <4AF90F44.1070509@infracaninophile.co.uk>
References:  <4AF90A6E.3040907@wup-katowice.pl> <4AF90F44.1070509@infracaninophile.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 2009-11-10 07:59, Matthew Seaman pisze:
> Arek Czereszewski wrote:
>> Hello,
>>
>> I have on some web servers php4-gd port installed
>> and I am totally confused.
>> Portaudit says
>>
>> Affected package: php4-gd-4.4.9
>> Type of problem: gd -- '_gdGetColors' remote buffer overflow
>> vulnerability.
>> Reference:
>> <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>;
>>
>> On this site is info about: 5.2.11 and 5.3.0
>>
>> On Securityfocus is info also about 4.4.9
>> but on cve.mitre.org is not.
>>
>> Any idea where is the true?
>> Are my servers with php4-gd are secure or not?
>
> This is a bug in the underlying gd library rather than in PHP itself. There
> are fixes to two related ports: if you've updated graphics/gd to the latest
> version (gd-2.0.35_2,1), and built the latest port revision of the php5-gd
> module (which is php5-gd-5.2.11_2) then those should have been secured.
>
> However, the PHP4 version of the gd module is still at version
> php4-gd-4.4.9, and doesn't seem to have been patched -- there is no patch
> for CVE-2009-3546 in the php4 sources -- so it seems you are still
> vulnerable
> when using PHP4. This is to be expected: the PHP project is deprecating
> PHP4
> and putting all their effort in to developing PHP5 instead. Patches may
> be forthcoming eventually, but who knows when?
>
> Basically, if you're running PHP4 on a public site then you should be
> making
> plans to upgrade to PHP5 ASAP.
> Cheers,
>
> Matthew
>

Hi,

So I need to upgrade php4 to php5.
Thank you for information.

Regards
Arek

-- 
Arek Czereszewski
arek (at) wup-katowice (dot) pl
"UNIX allows me to work smarter, not harder."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AF91A73.7080904>