| |||||||||||||
Critical PHP vulnerability being fixed (The H)Critical PHP vulnerability being fixed (The H)Posted Feb 3, 2012 0:10 UTC (Fri) by drag (subscriber, #31333)Parent article: Critical PHP vulnerability being fixed (The H)
Wow that has to be a kick in a teeth. Try to reduce your DOS surface and introduce a remote execution bug. That's really bad.
(Log in to post comments)
Critical PHP vulnerability being fixed (The H) Posted Feb 3, 2012 2:43 UTC (Fri) by fimbulvetr (subscriber, #41019) [Link]
Well, to be fair, a number of distros did backport the fix without noticing the vulnerability.
Remote execution aside, sudo did just suffer a comparable issue where new code had been added but not fully vetted. The only real difference to is that I'd expect more from the sudo authors.
Ubuntu, FWIW, doesn't appear to have fixed the original 5.3.9 bug and thus those users may suffer the 5.3.9 DOSing, but hypothetically no remote execution:
Critical PHP vulnerability being fixed (The H) Posted Feb 3, 2012 13:02 UTC (Fri) by RichieB (guest, #82736) [Link]
What's even worse is that this critical bug was already reported 1 day after the release of php 5.3.9. For some reason it got ignored for 3 weeks until a proof of concept code was released. See http://bugs.php.net/60708
|
|||||||||||||