From: "M. Sokolewicz" <tularis@xxxxxxx> > Matt Graham wrote: >> PHP had potential vulnerability CVE-2008-2829 >> http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and >> an (unofficial) patch. >> >> I'm just curious as to what other PHP users are doing about the problem, >> since Redhat says "meh" even though the company doing the security >> scan says "OMG PANIC!!1!" > it's doesn't look that dangerous to me, I'd personally rather side with > Redhat in their "meh" than with the security-scan-company's "OMG > PANIC!!1!". This is what I thought. However, they would rather believe the security scan company for some reason. > If you want the patch to appear in the next version of PHP > (5.2.3), make some noise about it on the internals list. ? I thought they were up to 5.2.6.... > it hasn't been applied until one of the devs gets so annoyed with you > spamming him with it that he'll either apply it (thus getting it into > the next release) or tell you what's wrong with it so you'll finally > leave him alone. A simple solution :) Yep. I prefer to avoid annoying and spamming developers, though :-] > P.S. note: the potential vulnerability only occurs if you actually use > the imap functions. If you don't: don't worry, you're still "safe". Aye. However, I mangled the source and compiled a version of PHP 5.2.6 such that the IMAP stuff wasn't even compiled, then installed that mangled version on a test box. The security scan company then scanned that test box, and said, "Problem CVE-2008-2829 still exists." I do wonder what they're doing when they're scanning.... -- The Crow202 Blog: http://crow202.org/wordpress/ There is no Darkness in Eternity/But only Light too dim for us to see > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
