Re: PHP Security Advisory -- SuSE non-IA32 versions vulnerable?
Good afternoon! I notice that the Bugtraq page says: "So far only the IA32 platform has been verified to be safe from the execution of arbitrary code. The vulnerability can still be used on IA32 to crash PHP and, in most cases, the web server." Roman Drahtmueller then said, on list: "...not present in SuSE products." Could Roman, or someone else from SuSE, please clarify the preceding statement as to whether this "not present" is applicable to SuSE's S/390 and zSeries Linux distributions? In other words, is SuSE's PHP binary package immune due to SuSE's choice of compile-time settings and so on, or was Roman's statement based on the Bugtraq comment of IA32 being less vulnerable and therefore the bug being not as big an issue for the "main" version of SuSE? Thanks! Scott -- -----------------------+------------------------------------------------------ Scott Courtney | "I don't mind Microsoft making money. I mind them courtney@4th.com | having a bad operating system." -- Linus Torvalds http://4th.com/ | ("The Rebel Code," NY Times, 21 February 1999) | PGP Public Key at http://4th.com/keys/courtney.pubkey
On Mon, Jul 22, 2002 at 01:54:10PM -0400, Scott Courtney wrote:
Could Roman, or someone else from SuSE, please clarify the preceding statement as to whether this "not present" is applicable to SuSE's S/390 and zSeries Linux distributions? In other words, is SuSE's PHP binary package immune due to SuSE's choice of compile-time settings and so on, or was Roman's statement based on the Bugtraq comment of IA32 being less vulnerable and therefore the bug being not as big an issue for the "main" version of SuSE?
Note the version number of the advisory: PHP 4.2.x. We do not ship PHP 4.2.x AFAICT. Only versions 4.0.x and 4.1.x. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Monday 22 July 2002 02:08 pm, Olaf Kirch wrote:
On Mon, Jul 22, 2002 at 01:54:10PM -0400, Scott Courtney wrote:
Could Roman, or someone else from SuSE, please clarify the preceding statement as to whether this "not present" is applicable to SuSE's S/390 and zSeries Linux distributions? In other words, is SuSE's PHP binary package immune due to SuSE's choice of compile-time settings and so on, or was Roman's statement based on the Bugtraq comment of IA32 being less vulnerable and therefore the bug being not as big an issue for the "main" version of SuSE?
Note the version number of the advisory: PHP 4.2.x. We do not ship PHP 4.2.x AFAICT. Only versions 4.0.x and 4.1.x.
Ah, yes. I had not realized that SuSE was not yet shipping 4.2.x. We have customers who purchase SuSE for S/390 directly from SuSE, and I therefore do not always see exactly what they get on the installation media. Thank you for the clarification. Scott -- -----------------------+------------------------------------------------------ Scott Courtney | "I don't mind Microsoft making money. I mind them courtney@4th.com | having a bad operating system." -- Linus Torvalds http://4th.com/ | ("The Rebel Code," NY Times, 21 February 1999) | PGP Public Key at http://4th.com/keys/courtney.pubkey
Note the version number of the advisory: PHP 4.2.x. We do not ship PHP 4.2.x AFAICT. Only versions 4.0.x and 4.1.x.
Ah, yes. I had not realized that SuSE was not yet shipping 4.2.x. We have customers who purchase SuSE for S/390 directly from SuSE, and I therefore do not always see exactly what they get on the installation media. Thank you for the clarification.
Actually, if you have it installed, a simple "rpm -q mod_php4" should do it. A non-installed package needs "rpm -qp package.rpm". Regards, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Scott Courtney wrote:
Could Roman, or someone else from SuSE, please clarify the preceding statement as to whether this "not present" is applicable to SuSE's S/390 and zSeries Linux distributions?
I'm not from SuSE, but Olaf Kirch wrote today: | Note that this issue was reported for PHP 4.2.x only, and | the most recent PHP4 we've shipped is 4.1.x So, given that the S/390 and zSeries distribution also don't contain PHP 4.2, you should be ok. Try rpm -qa | grep php to see which version is installed Olaf -- abstrakt gmbh, Behringstrasse 16b, 22765 Hamburg Tel: +49-40-39804630, Fax: +49-40-39804639 http://www.abstrakt.de/
participants (4)
-
Olaf Kirch -
Olaf Kock -
Roman Drahtmueller -
Scott Courtney