OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: stake Advisory: PHP3/PHP4 Logging Format String Vulnerability (A 101200-1)
From: Jouko Pynnönen (joukoSOLUTIONS.FI)
Date: Thu Oct 12 2000 - 16:13:30 CDT

On Thu, 12 Oct 2000, stake Advisories wrote:

> We contacted the PHP team on 10/3/2000 concerning this problem. We wanted
> to hold off releasing our advisory until a fix was available for PHP3
> since some users may not be able to easily upgrade to PHP4. Fixes for
> PHP3 and PHP4 are now available. We are aware that Jouko Pynnönen
> <joukosolutions.fi> found this problem independantly but chose to release
> before the PHP3 fix was available.

The fix for PHP 3 seems to have been released about the same time as the
PHP 4 fix, ie. the day before my posting on this list:

 [ ] php-3.0.17.tar.gz 11-Oct-2000 16:30 2.1M
 [ ] php-4.0.3.tar.gz 11-Oct-2000 15:35 2.1M

I contacted the PHP team and vendor-sec list on 09/28/2000. The fix, by
the way, was first planned to be released as early as 10/05/2000. I didn't
mention the URL for PHP 3 fix in my posting which I should have done,
however finding it in the /distributions/ directory shouldn't be
difficult.

IMHO after the first piece of information about a security flaw has been
released (such as the PHP security fix announcement), the sooner people
get to know the details and advice about solving the problem, the better;
pinpointing the exact bug is a matter of minutes for the "bad guys", by
using diff(1) on the sources if not otherwise. 

--
Jouko Pynnönen          Online Solutions Ltd       Secure your Linux -
joukosolutions.fi                                 http://www.secmod.com