Hi, i am waiting for the patch for php ( the update has been released the 14-Dec http://www.php.net/ChangeLog-4.php#4.3.10) because there is a lot of security issues. I know that there is a worm that can use this problem and defeces a web server http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SANTY.A. Why so much time to release the patch for suse 9.X ? Best regards, Cristian Del Carlo delcarlo@osratoscana.it Tel. 0583 424700 Fax 0583 424750 http://www.osratoscana.it Il testo e gli eventuali documenti trasmessi contengono informazioni riservate al destinatario indicato. La seguente e-mail è confidenziale e la sua riservatezza è tutelata legalmente dal Decreto Legislativo 196 del 30/06/2003 (Codice di tutela della privacy). La lettura, copia o altro uso non autorizzato o qualsiasi altra azione derivante dalla conoscenza di queste informazioni sono rigorosamente vietate. Qualora abbiate ricevuto questo documento per errore siete cortesemente pregati di darne immediata comunicazione al mittente e di provvedere, immediatamente, alla sua distruzione.
On Mon, Dec 27, 2004 at 09:20:25AM +0100, Cristian Del Carlo wrote:
Hi, i am waiting for the patch for php ( the update has been released the 14-Dec http://www.php.net/ChangeLog-4.php#4.3.10) because there is a lot of security issues. I know that there is a worm that can use this problem and defeces a web server http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SANTY.A. Why so much time to release the patch for suse 9.X ? Best regards,
We are working on php4 updates but we are not able to release them before the second week of january since most developers and testers are not available. The SANTY.A worm itself spreads using a phpBB (a php forum software) vulnerability, not by a bug in php4. We do not ship phpBB, so SUSE is not affected by this worm in the default installation. You will need to upgrade phpBB to the current fixed version. Ciao, Marcus
On Monday 27 December 2004 11:22, Marcus Meissner wrote:
On Mon, Dec 27, 2004 at 09:20:25AM +0100, Cristian Del Carlo wrote:
Hi, i am waiting for the patch for php ( the update has been released the 14-Dec http://www.php.net/ChangeLog-4.php#4.3.10) because there is a lot of security issues. I know that there is a worm that can use this problem and defeces a web server http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SANT Y.A. Why so much time to release the patch for suse 9.X ? Best regards,
We are working on php4 updates but we are not able to release them before the second week of january since most developers and testers are not available.
Ho-hum. It might have been wise to allow for vulnerabilities that get discovered during holidays. Worms don't usually keep track of people's vacations.
The SANTY.A worm itself spreads using a phpBB (a php forum software) vulnerability, not by a bug in php4.
Ahem! Marcus, that is most definitely not true. I refer you to http://www.php.net/release_4_3_10.php where is adamantly stated "All Users of PHP are strongly encouraged to upgrade to this release as soon as possible". Seven CVE entries are fixed with this. Furthermore, newer worms attack PHP itself, not per se phpBB: http://www.heise.de/security/news/meldung/54623
We do not ship phpBB, so SUSE is not affected by this worm in the default installation.
Yeah yeah, that's the usual <attach standard disclaimer> approach. PhpBB was the first symptom, but php has the vulnerability. Greetings, Maarten
We are working on php4 updates but we are not able to release them before the second week of january since most developers and testers are not available.
Ho-hum. It might have been wise to allow for vulnerabilities that get discovered during holidays. Worms don't usually keep track of people's vacations.
Yes.
The SANTY.A worm itself spreads using a phpBB (a php forum software) vulnerability, not by a bug in php4.
Ahem! Marcus, that is most definitely not true. I refer you to
This exact worm does. I stand corrected. Other worms might already exploit the php vulnerabilities, true. I am follwoing the full-disclosure and bugtraq lists and currently no worm that exploits those directly has been reported in my reading.
http://www.php.net/release_4_3_10.php
where is adamantly stated "All Users of PHP are strongly encouraged to upgrade to this release as soon as possible". Seven CVE entries are fixed with this. Furthermore, newer worms attack PHP itself, not per se phpBB:
Yes, but we did not want to give you an untested update that will cause more work on your and our side before christmas.
PhpBB was the first symptom, but php has the vulnerability.
Yes. I expect we are going to see more of those. There are also still lots of php based projects out which are unsufficiently audited. As for the php updates, we really wanted them to go out before Christmas, but there was pretty much confusion about patches and additional fixes and also reduced QA power due parallel kernel and samba problems. Ciao, Marcus
Hello, Marcus Meissner. On 27.12.2004 20:48 you said the following:
Yes, but we did not want to give you an untested update that will cause more work on your and our side before christmas.
Marcus, give us an update, and we'll decide, what work it'll cause. There is no absoluteley tested packets, and story with broken SUSE's *kernel* demonstrate that. -- Boris B. Zhmurov mailto: bb@kernelpanic.ru "wget http://kernelpanic.ru/bb_public_key.pgp -O - | gpg --import"
participants (4)
-
Boris B. Zhmurov -
Cristian Del Carlo -
maarten -
Marcus Meissner