[nycphp-talk] SecurityFocus Newsletter #297
Hans Zaunere
lists at zaunere.com
Wed May 4 21:48:45 EDT 2005
> > > SecurityFocus Newsletter #297
> > >
> > > PHP
> > > ---
> > > PHP Group PHP Multiple Unspecified Vulnerabilities [in 4.3.11 and 5.0.3]
> > > http://www.securityfocus.com/bid/13143
> >
> > Can someone explain this one to me? There is no exploit, no description,
> > no nothing... and this is far from the first time that security focus
> > publishes these types of exploits, PHP or not.
>
> As to the authoritative answer to why they include it, I do not know,
> but here is my assumption.
>
> In the PHP 4.3.11 Release Announcement they mention "...addresses
> several security issues inside the exif and fbsql extensions as well as
> the unserialize(), swf_definepoly() and getimagesize() functions"
>
> http://www.php.net/release_4_3_11.php
>
> Also reviewing the ChangeLog and with all the _bug_ fixes one can only
> assume that many of these _could_ be potential vulnerabilities.
>
> http://www.php.net/release_4_3_11.php
>
> http://www.php.net/ChangeLog-5.php#5.0.4
>
> All this coupled with their desire to be an definitive source for
> security/update information, I can see why they would identify version
> upgrades regardless of whether there is a known vulnerability/exploit.
True, but they say the problems are *in* 4.3.11 - yet 4.3.11 fixes them. Perhaps a typo, but this isn't the first time of these types of alerts, and quite a serious typo.
H
More information about the talk
mailing list