[17198] in bugtraq
Re: @stake Advisory: PHP3/PHP4 Logging Format String
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Jouko_Pynn=F6nen?=)
Fri Oct 13 16:25:03 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=iso-8859-1
Message-Id: <Pine.LNX.4.10.10010122319170.22073-100000@shell.solutions.fi>
Date: Fri, 13 Oct 2000 00:13:30 +0300
Reply-To: =?iso-8859-1?Q?Jouko_Pynn=F6nen?= <jouko@SOLUTIONS.FI>
From: =?iso-8859-1?Q?Jouko_Pynn=F6nen?= <jouko@SOLUTIONS.FI>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C5119AD12E92D311928E009027DE4CCA5548F9@boddington.atstake.com>
Content-Transfer-Encoding: 8bit
On Thu, 12 Oct 2000, @stake Advisories wrote:
> We contacted the PHP team on 10/3/2000 concerning this problem. We wanted
> to hold off releasing our advisory until a fix was available for PHP3
> since some users may not be able to easily upgrade to PHP4. Fixes for
> PHP3 and PHP4 are now available. We are aware that Jouko Pynnönen
> <jouko@solutions.fi> found this problem independantly but chose to release
> before the PHP3 fix was available.
The fix for PHP 3 seems to have been released about the same time as the
PHP 4 fix, ie. the day before my posting on this list:
[ ] php-3.0.17.tar.gz 11-Oct-2000 16:30 2.1M
[ ] php-4.0.3.tar.gz 11-Oct-2000 15:35 2.1M
I contacted the PHP team and vendor-sec list on 09/28/2000. The fix, by
the way, was first planned to be released as early as 10/05/2000. I didn't
mention the URL for PHP 3 fix in my posting which I should have done,
however finding it in the /distributions/ directory shouldn't be
difficult.
IMHO after the first piece of information about a security flaw has been
released (such as the PHP security fix announcement), the sooner people
get to know the details and advice about solving the problem, the better;
pinpointing the exact bug is a matter of minutes for the "bad guys", by
using diff(1) on the sources if not otherwise.
--
Jouko Pynnönen Online Solutions Ltd Secure your Linux -
jouko@solutions.fi http://www.secmod.com
