On Monday 27 December 2004 11:22, Marcus Meissner wrote:
On Mon, Dec 27, 2004 at 09:20:25AM +0100, Cristian Del Carlo wrote:
Hi, i am waiting for the patch for php ( the update has been released the 14-Dec http://www.php.net/ChangeLog-4.php#4.3.10) because there is a lot of security issues. I know that there is a worm that can use this problem and defeces a web server http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SANT Y.A. Why so much time to release the patch for suse 9.X ? Best regards,
We are working on php4 updates but we are not able to release them before the second week of january since most developers and testers are not available.
Ho-hum. It might have been wise to allow for vulnerabilities that get discovered during holidays. Worms don't usually keep track of people's vacations.
The SANTY.A worm itself spreads using a phpBB (a php forum software) vulnerability, not by a bug in php4.
Ahem! Marcus, that is most definitely not true. I refer you to http://www.php.net/release_4_3_10.php where is adamantly stated "All Users of PHP are strongly encouraged to upgrade to this release as soon as possible". Seven CVE entries are fixed with this. Furthermore, newer worms attack PHP itself, not per se phpBB: http://www.heise.de/security/news/meldung/54623
We do not ship phpBB, so SUSE is not affected by this worm in the default installation.
Yeah yeah, that's the usual <attach standard disclaimer> approach. PhpBB was the first symptom, but php has the vulnerability. Greetings, Maarten