Re: rfc822_write_address() / CVE-2008-2829 problem
This is a discussion on Re: rfc822_write_address() / CVE-2008-2829 problem within the PHP General forums, part of the PHP Programming Forums category; From: "M. Sokolewicz" <tularis@php.net> > Matt Graham wrote: >> PHP had potential vulnerability ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-07-2008
|
|||
|
|||
Re: rfc822_write_address() / CVE-2008-2829 problem
From: "M. Sokolewicz" <tularis@php.net> > Matt Graham wrote: >> PHP had potential vulnerability CVE-2008-2829 >> http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and >> an (unofficial) patch. >> >> I'm just curious as to what other PHP users are doing about the problem, >> since Redhat says "meh" even though the company doing the security >> scan says "OMG PANIC!!1!" > it's doesn't look that dangerous to me, I'd personally rather side with > Redhat in their "meh" than with the security-scan-company's "OMG > PANIC!!1!". This is what I thought. However, they would rather believe the security scan company for some reason. > If you want the patch to appear in the next version of PHP > (5.2.3), make some noise about it on the internals list. ? I thought they were up to 5.2.6.... > it hasn't been applied until one of the devs gets so annoyed with you > spamming him with it that he'll either apply it (thus getting it into > the next release) or tell you what's wrong with it so you'll finally > leave him alone. A simple solution :) Yep. I prefer to avoid annoying and spamming developers, though :-] > P.S. note: the potential vulnerability only occurs if you actually use > the imap functions. If you don't: don't worry, you're still "safe". Aye. However, I mangled the source and compiled a version of PHP 5.2.6 such that the IMAP stuff wasn't even compiled, then installed that mangled version on a test box. The security scan company then scanned that test box, and said, "Problem CVE-2008-2829 still exists." I do wonder what they're doing when they're scanning.... -- The Crow202 Blog: http://crow202.org/wordpress/ There is no Darkness in Eternity/But only Light too dim for us to see > 
|
|
07-07-2008
|
|||
|
|||
|
Re: rfc822_write_address() / CVE-2008-2829 problem
Matt Graham wrote:
> From: "M. Sokolewicz" <tularis@php.net> >> Matt Graham wrote: >>> PHP had potential vulnerability CVE-2008-2829 >>> http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and >>> an (unofficial) patch. >>> >>> I'm just curious as to what other PHP users are doing about the problem, >>> since Redhat says "meh" even though the company doing the security >>> scan says "OMG PANIC!!1!" >> it's doesn't look that dangerous to me, I'd personally rather side with >> Redhat in their "meh" than with the security-scan-company's "OMG >> PANIC!!1!". > > This is what I thought. However, they would rather believe the security > scan company for some reason. > >> If you want the patch to appear in the next version of PHP >> (5.2.3), make some noise about it on the internals list. > > ? I thought they were up to 5.2.6.... > >> it hasn't been applied until one of the devs gets so annoyed with you >> spamming him with it that he'll either apply it (thus getting it into >> the next release) or tell you what's wrong with it so you'll finally >> leave him alone. A simple solution :) > > Yep. I prefer to avoid annoying and spamming developers, though :-] > >> P.S. note: the potential vulnerability only occurs if you actually use >> the imap functions. If you don't: don't worry, you're still "safe". > > Aye. However, I mangled the source and compiled a version of PHP 5.2.6 > such that the IMAP stuff wasn't even compiled, then installed that > mangled version on a test box. The security scan company then scanned > that test box, and said, "Problem CVE-2008-2829 still exists." I do > wonder what they're doing when they're scanning.... > Their scan is most likely basing it on the PHP version number only. There is no other way for them to be doing it unless they have access to the server and are able to run test code to exploit this. In php.ini, try: expose_php = Off See if that helps. -Shawn
|
|
07-07-2008
|
|||
|
|||
|
Re: rfc822_write_address() / CVE-2008-2829 problem
Matt Graham wrote:
> From: "M. Sokolewicz" <tularis@php.net> >> Matt Graham wrote: >>> PHP had potential vulnerability CVE-2008-2829 >>> http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and >>> an (unofficial) patch. >>> >>> I'm just curious as to what other PHP users are doing about the problem, >>> since Redhat says "meh" even though the company doing the security >>> scan says "OMG PANIC!!1!" >> it's doesn't look that dangerous to me, I'd personally rather side with >> Redhat in their "meh" than with the security-scan-company's "OMG >> PANIC!!1!". > > This is what I thought. However, they would rather believe the security > scan company for some reason. > >> If you want the patch to appear in the next version of PHP >> (5.2.3), make some noise about it on the internals list. > > ? I thought they were up to 5.2.6.... ugh, sorry, meant 5.3, I type too fast for myself to read what I just typed ;) > >> it hasn't been applied until one of the devs gets so annoyed with you >> spamming him with it that he'll either apply it (thus getting it into >> the next release) or tell you what's wrong with it so you'll finally >> leave him alone. A simple solution :) > > Yep. I prefer to avoid annoying and spamming developers, though :-] > >> P.S. note: the potential vulnerability only occurs if you actually use >> the imap functions. If you don't: don't worry, you're still "safe". > > Aye. However, I mangled the source and compiled a version of PHP 5.2.6 > such that the IMAP stuff wasn't even compiled, then installed that > mangled version on a test box. The security scan company then scanned > that test box, and said, "Problem CVE-2008-2829 still exists." I do > wonder what they're doing when they're scanning.... > As Shawn said, it's probably purely based on the PHP version, nothing more. - Tul
|
Linear Mode
