From: Marcus Meissner (meissnersuse.de)
Date: Mon Dec 27 2004 - 11:48:17 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > We are working on php4 updates but we are not able to release them before
> > the second week of january since most developers and testers are not
> > available.
>
> Ho-hum.
> It might have been wise to allow for vulnerabilities that get discovered
> during holidays. Worms don't usually keep track of people's vacations.

Yes.
 
> > The SANTY.A worm itself spreads using a phpBB (a php forum software)
> > vulnerability, not by a bug in php4.
>
> Ahem! Marcus, that is most definitely not true. I refer you to

This exact worm does. I stand corrected.

Other worms might already exploit the php vulnerabilities, true.

I am follwoing the full-disclosure and bugtraq lists and currently no worm
that exploits those directly has been reported in my reading.

> http://www.php.net/release_4_3_10.php
>
> where is adamantly stated "All Users of PHP are strongly encouraged to upgrade
> to this release as soon as possible". Seven CVE entries are fixed with this.
> Furthermore, newer worms attack PHP itself, not per se phpBB:
>
> http://www.heise.de/security/news/meldung/54623

Yes, but we did not want to give you an untested update that
will cause more work on your and our side before christmas.

> PhpBB was the first symptom, but php has the vulnerability.

Yes. I expect we are going to see more of those. There are also
still lots of php based projects out which are unsufficiently
audited.

As for the php updates, we really wanted them to go out before Christmas,
but there was pretty much confusion about patches and additional fixes
and also reduced QA power due parallel kernel and samba problems.

Ciao, Marcus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFB0Erh6nvzlwF1Yj4RAl1pAJ9fKNup5OP8AoCM6l0W88jZVhKdywCfTDqb
iJz1cEq9GTT9oWIwj/IJmjA=
=BTb7
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]