[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <fb1c44210609122255g3382975q8d60f9035b110f37@mail.gmail.com>
Date: Tue, 12 Sep 2006 22:55:44 -0700
From: "Ryan Buena" <dreamsbig@...il.com>
To: "İsmail Dönmez" <ismail@...dus.org.tr>
Cc: cxib@...urityreason.com, bugtraq@...urityfocus.com
Subject: Re: PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()
When does php.net usually publish an official patched version on their
website, outside of cvs? One would think they should publish it soon
considering the vulnerability and exploit.
On 9/9/06, İsmail Dönmez <ismail@...dus.org.tr> wrote:
> Hi,
> 9 Eylül 2006 Cumartesi 13:24 tarihinde, cxib@...urityreason.com şunları
> yazmıştı:
> > [PHP 5.1.6 / 4.4.4 Critical php_admin* bypass by ini_restore()]
> >
> >
> > Author: Maksymilian Arciemowicz (cXIb8O3)
> > Date:
> > - Written: 05.09.2006
> > - Public: 09.09.2006
> > SecurityAlert Id: 42
> > CVE: CVE-2006-4625
> > SecurityRisk: High
> > Affected Software: PHP 5.1.6 / 4.4.4 < = x
> > Advisory URL: http://securityreason.com/achievement_securityalert/42
> > Vendor: http://www.php.net
> [...]
> > --- 2. How to fix ---
> > fixed in CVS HEAD, PHP_5_2, PHP_5_1 and PHP_4_4.
> >
> > http://cvs.php.net/viewcvs.cgi/php-src/NEWS
>
> Can you please tell exact CVS revision in your advisories, PHP.net doesn't
> care about vulnerabilities and its very hard to find the correct revision for
> the fix.
>
> Regards,
> ismail
> --
> アニメは本当にすごいすぎるよ !
>
Powered by blists - more mailing lists