[PHP] Re: rfc822_write_address() / CVE-2008-2829 problem
- Date: Mon, 07 Jul 2008 10:25:20 -0700
- From: "Matt Graham" <danceswithcrows@xxxxxxx>
- Subject: [PHP] Re: rfc822_write_address() / CVE-2008-2829 problem
From: "M. Sokolewicz" <tularis@xxxxxxx>
> Matt Graham wrote:
>> PHP had potential vulnerability CVE-2008-2829
>> http://bugs.php.net/bug.php?id=42862 for a reasonable discussion and
>> an (unofficial) patch.
>>
>> I'm just curious as to what other PHP users are doing about the problem,
>> since Redhat says "meh" even though the company doing the security
>> scan says "OMG PANIC!!1!"
> it's doesn't look that dangerous to me, I'd personally rather side with
> Redhat in their "meh" than with the security-scan-company's "OMG
> PANIC!!1!".
This is what I thought. However, they would rather believe the security
scan company for some reason.
> If you want the patch to appear in the next version of PHP
> (5.2.3), make some noise about it on the internals list.
? I thought they were up to 5.2.6....
> it hasn't been applied until one of the devs gets so annoyed with you
> spamming him with it that he'll either apply it (thus getting it into
> the next release) or tell you what's wrong with it so you'll finally
> leave him alone. A simple solution :)
Yep. I prefer to avoid annoying and spamming developers, though :-]
> P.S. note: the potential vulnerability only occurs if you actually use
> the imap functions. If you don't: don't worry, you're still "safe".
Aye. However, I mangled the source and compiled a version of PHP 5.2.6
such that the IMAP stuff wasn't even compiled, then installed that
mangled version on a test box. The security scan company then scanned
that test box, and said, "Problem CVE-2008-2829 still exists." I do
wonder what they're doing when they're scanning....
--
The Crow202 Blog: http://crow202.org/wordpress/
There is no Darkness in Eternity/But only Light too dim for us to see
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php