| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Sep 2006 22:55:44 -0700 From: "Ryan Buena" <dreamsbig@...il.com> To: "İsmail Dönmez" <ismail@...dus.org.tr> Cc: cxib@...urityreason.com, bugtraq@...urityfocus.com Subject: Re: PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore() When does php.net usually publish an official patched version on their website, outside of cvs? One would think they should publish it soon considering the vulnerability and exploit. On 9/9/06, İsmail Dönmez <ismail@...dus.org.tr> wrote: > Hi, > 9 Eylül 2006 Cumartesi 13:24 tarihinde, cxib@...urityreason.com şunları > yazmıştı: > > [PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()] > > > > > > Author: Maksymilian Arciemowicz (cXIb8O3) > > Date: > > - Written: 05.09.2006 > > - Public: 09.09.2006 > > SecurityAlert Id: 42 > > CVE: CVE-2006-4625 > > SecurityRisk: High > > Affected Software: PHP 5.1.6 / 4.4.4 < = x > > Advisory URL: http://securityreason.com/achievement_securityalert/42 > > Vendor: http://www.php.net > [...] > > --- 2. How to fix --- > > fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4. > > > > http://cvs.php.net/viewcvs.cgi/php-src/NEWS > > Can you please tell exact CVS revision in your advisories, PHP.net doesn't > care about vulnerabilities and its very hard to find the correct revision for > the fix. > > Regards, > ismail > -- > アニメは本当にすごいすぎるよ ! >
Powered by blists - more mailing lists