Date: Tue, 9 Sep 2008 22:49:59 +0200 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Jeremy Chadwick <koitsu@FreeBSD.org> Cc: freebsd-security@freebsd.org, Andrew Storms <astorms@ncircle.com> Subject: Re: Question on recent PHP VuXML info Message-ID: <20080909204958.GA1203@arthur.nitro.dk> In-Reply-To: <20080908161818.GA72963@icarus.home.lan> References: <C4EA93ED.1AD025%astorms@ncircle.com> <20080908161818.GA72963@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2008.09.08 09:18:18 -0700, Jeremy Chadwick wrote: > On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote: > > Not sure if this is the correct place for VuXML questions, but the FreeBSD > > VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty > > dead given the last update was in 2007 according to the archives. > > > > We were previously tracking this entry, which pretty much sat for a while > > without an applicable upgradeable resolution available. While I haven't looked into the details of this particular entry, Jille and Jeremy did that well, I just want to take this opportunity to point out that "safe_mode" is broken... From the particular entry: It should be noted that this vulnerability is not considered to be serious by the FreeBSD Security Team, since safe_mode and open_basedir are insecure by design and should not be relied upon. We (secteam) have seriously debated if it was worth documenting "safe_mode" issues at all, but the compromise was just to add something similar to the above text. -- Simon L. Nielsen FreeBSD Security Team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080909204958.GA1203>