From owner-freebsd-questions@FreeBSD.ORG Tue Nov 10 07:47:02 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF2DE106566B for ; Tue, 10 Nov 2009 07:47:02 +0000 (UTC) (envelope-from arek@wup-katowice.pl) Received: from mx1.wup-katowice.pl (mx1.wup-katowice.pl [195.39.216.236]) by mx1.freebsd.org (Postfix) with ESMTP id 836F18FC14 for ; Tue, 10 Nov 2009 07:47:01 +0000 (UTC) Received: from mx1.wup-katowice.pl (localhost [127.0.0.1]) by mx1.wup-katowice.pl (Postfix) with ESMTP id 8D4CE61C65 for ; Tue, 10 Nov 2009 08:52:07 +0100 (CET) Received: from [127.0.0.1] (arek.wup-katowice.pl [195.39.216.233]) by mx1.wup-katowice.pl (Postfix) with ESMTPSA id 8631261C5A for ; Tue, 10 Nov 2009 08:52:07 +0100 (CET) Date: Tue, 10 Nov 2009 08:46:59 +0100 From: Arek Czereszewski User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.4pre) Gecko/20090915 Thunderbird/3.0b4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <4AF90A6E.3040907@wup-katowice.pl> <4AF90F44.1070509@infracaninophile.co.uk> In-Reply-To: <4AF90F44.1070509@infracaninophile.co.uk> Message-ID: <4AF91A73.7080904@wup-katowice.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Anti-Virus: Kaspersky Anti-Virus for Linux Mail Server 5.6.36/RELEASE, bases: 20091110 #3185641, check: 20091110 clean Subject: Re: php4-gd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: arek@wup-katowice.pl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2009 07:47:02 -0000 W dniu 2009-11-10 07:59, Matthew Seaman pisze: > Arek Czereszewski wrote: >> Hello, >> >> I have on some web servers php4-gd port installed >> and I am totally confused. >> Portaudit says >> >> Affected package: php4-gd-4.4.9 >> Type of problem: gd -- '_gdGetColors' remote buffer overflow >> vulnerability. >> Reference: >> >> >> On this site is info about: 5.2.11 and 5.3.0 >> >> On Securityfocus is info also about 4.4.9 >> but on cve.mitre.org is not. >> >> Any idea where is the true? >> Are my servers with php4-gd are secure or not? > > This is a bug in the underlying gd library rather than in PHP itself. There > are fixes to two related ports: if you've updated graphics/gd to the latest > version (gd-2.0.35_2,1), and built the latest port revision of the php5-gd > module (which is php5-gd-5.2.11_2) then those should have been secured. > > However, the PHP4 version of the gd module is still at version > php4-gd-4.4.9, and doesn't seem to have been patched -- there is no patch > for CVE-2009-3546 in the php4 sources -- so it seems you are still > vulnerable > when using PHP4. This is to be expected: the PHP project is deprecating > PHP4 > and putting all their effort in to developing PHP5 instead. Patches may > be forthcoming eventually, but who knows when? > > Basically, if you're running PHP4 on a public site then you should be > making > plans to upgrade to PHP5 ASAP. > Cheers, > > Matthew > Hi, So I need to upgrade php4 to php5. Thank you for information. Regards Arek -- Arek Czereszewski arek (at) wup-katowice (dot) pl "UNIX allows me to work smarter, not harder."