Hi Guys,
I'm looking at php php-5.1.6-3.el4s1.10.i386.rpm in the CentOS plus repo dated from 31st July 2008. Is it vulnerable from the exploits in php 5.1.x and 5.2?
Thanks, Spike.
On Sat, Jul 02, 2011 at 08:51:33PM +0100, Spike Turner wrote:
Hi Guys,
I'm looking at php php-5.1.6-3.el4s1.10.i386.rpm in the CentOS plus repo dated from 31st July 2008. Is it vulnerable from the exploits in php 5.1.x and 5.2?
That's not been supported in, literally, ages. You may want to consider a "yum update" once in a while.
And yes, that specific version has multiple known and exploitable security issues.
John
On Sat, Jul 02, 2011 at 03:57:24PM -0500, John R. Dennison wrote:
That's not been supported in, literally, ages. You may want to consider a "yum update" once in a while.
Actually, you didn't say you were actually running that version. So, if you aren't running it already... don't :)
And yes, that specific version has multiple known and exploitable security issues.
Current version in C4, fwiw, is php-4.3.9-3.31.
John
--- On Sat, 2/7/11, John R. Dennison jrd@gerdesas.com wrote:
That's not been supported in, literally, ages. You may want to consider a "yum update" once in a while.
And yes, that specific version has multiple known and exploitable security issues. John
I'm running it on an internal box not accessible from the internet. I do run a yum update and that seems to be the latest CentOS Plus version.
http://mirror.centos.org/centos/4/centosplus/i386/RPMS/
You can see that the kernels are updated but the php is not, so I don't see why you said I should consider "running a yum update once in a while".
Regards, Spike.
Le 03/07/2011 10:28, Spike Turner a écrit :
--- On Sat, 2/7/11, John R. Dennisonjrd@gerdesas.com wrote:
That's not been supported in, literally, ages. You may want to consider a "yum update" once in a while.
And yes, that specific version has multiple known and exploitable security issues.
JohnI'm running it on an internal box not accessible from the internet. I do run a yum update and that seems to be the latest CentOS Plus version.
http://mirror.centos.org/centos/4/centosplus/i386/RPMS/
You can see that the kernels are updated but the php is not, so I don't see why you said I should consider "running a yum update once in a while".
Hi Spike,
I agree. Here is what I have on a CentOS 5.6 machine : ]# yum info php .... Available Packages Name : php Arch : x86_64 Version : 5.1.6 Release : 27.el5_5.3 Size : 2.3 M Repo : base
So 5.1.6 is the current package on CentOS, at least in base repo, I don't know for CentOSPlus, and your question is totally valid.
I am not using PHP, so I am not aware of the last vulnerabilities, but you should know that RedHat backports security fixes, and features, from further releases, so the version number is not that informative. See for example this rather old thread (2010) : http://forums.whirlpool.net.au/archive/1424743
Hopes that helps...
Alain
On Sun, Jul 03, 2011 at 02:29:12PM +0200, Alain Péan wrote:
So 5.1.6 is the current package on CentOS, at least in base repo, I don't know for CentOSPlus, and your question is totally valid.
The php in base, for both C4 and C5, gets updates. I've not seen an update for the C4 plus package since, well, 2008. This also brings up the question what stack this package was part of upstream; I'm not able to locate it in Redhat's mirrors.
I am not using PHP, so I am not aware of the last vulnerabilities, but you should know that RedHat backports security fixes, and features, from further releases, so the version number is not that informative. See for example this rather old thread (2010) :
They only backport for supported packages. It appears that this package may have been orphaned upstream.
Returns a 404.
John
You can also build the packages yourself and keep abreast of the mailing list
On Sun, Jul 3, 2011 at 9:11 AM, John R. Dennison jrd@gerdesas.com wrote:
On Sun, Jul 03, 2011 at 02:29:12PM +0200, Alain Péan wrote:
So 5.1.6 is the current package on CentOS, at least in base repo, I don't know for CentOSPlus, and your question is totally valid.
The php in base, for both C4 and C5, gets updates. I've not seen an update for the C4 plus package since, well, 2008. This also brings up the question what stack this package was part of upstream; I'm not able to locate it in Redhat's mirrors.
I am not using PHP, so I am not aware of the last vulnerabilities, but you should know that RedHat backports security fixes, and features, from further releases, so the version number is not that informative. See for example this rather old thread (2010) :
They only backport for supported packages. It appears that this package may have been orphaned upstream.
Returns a 404.
John-- When there are too many policemen, there can be no liberty. When there are too many soldiers, there can be no peace. When there are too many lawyers, there can be no justice.
-- Lin Yutang (10 October 1895 - 26 March 1976), Chinese writer and translator, as quoted in Alexander, James (2005). The World's Funniest Laws. Cheam: Crombie Jardine. pp. page 6
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Using centos 5.x, sendmail, as a server, downloading mail with thunderbird (although this happened with outlook too)
every 5 or 6 months I open my mail client (thunderbird) and one of my mail accounts decides to download 1,000 or so mails from my server. Old mail that I had already downloaded before.
I changed no settings and everything is the same as it was, but this happens enough, on all accounts, that it is just weird. It is like it gets to a certain size and then redownloads the same mails. And they are the same mails. I have had 'redownloads' of the same emails each time.
I look in the queue, nothing there...same with the mailboxes in the user folders, var/spool/mail....
these mails are being held somewhere by centos, but I cannot find them...and they seem to want to all be downloaded again and again every 6 months..
what am I missing?
thanks
on 7/5/2011 9:34 AM Bob Hoffman spake the following:
Using centos 5.x, sendmail, as a server, downloading mail with thunderbird (although this happened with outlook too)
every 5 or 6 months I open my mail client (thunderbird) and one of my mail accounts decides to download 1,000 or so mails from my server. Old mail that I had already downloaded before.
I changed no settings and everything is the same as it was, but this happens enough, on all accounts, that it is just weird. It is like it gets to a certain size and then redownloads the same mails. And they are the same mails. I have had 'redownloads' of the same emails each time.
I look in the queue, nothing there...same with the mailboxes in the user folders, var/spool/mail....
these mails are being held somewhere by centos, but I cannot find them...and they seem to want to all be downloaded again and again every 6 months..
what am I missing?
thanks
You are missing a lot of detail, and also hijacked someone elses thread. What MDA... using pop3 or imap... etc...
On Tue, 5 Jul 2011, Bob Hoffman wrote:
To: CentOS mailing list centos@centos.org From: Bob Hoffman bob@bobhoffman.com Subject: [CentOS] getting old mail every 5 months or so
Using centos 5.x, sendmail, as a server, downloading mail with thunderbird (although this happened with outlook too)
every 5 or 6 months I open my mail client (thunderbird) and one of my mail accounts decides to download 1,000 or so mails from my server. Old mail that I had already downloaded before.
What emails are you refering to Bob - ones specific to this list?
Is this email being flushed (deleted) the first time you are downloading it. Using fetchmail I can download emails, and specify either the 'keep' or 'no-keep' option to either download and not delete, or download and delete from the mail server.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On Sun, Jul 03, 2011 at 09:28:03AM +0100, Spike Turner wrote:
I'm running it on an internal box not accessible from the internet. I do run a yum update and that seems to be the latest CentOS Plus version.
You never said it wasn't facing the internet.
And it's not been updated in nearly 3 years so it has nearly 3 years of exploits and bug fixes that have not been addressed. While this may not directly impact you the fact remains that the package is ancient, poses a risk, and just like the 5.2.X in c5-testing should be removed due to lack of upstream support.
You can see that the kernels are updated but the php is not, so I don't see why you said I should consider "running a yum update once in a while".
Because I didn't notice the C4 part of this. I've exactly one C4 box still in operation; the rest were migrated to 5 quite some time back. I initially saw 5.1.6 and, due to being half asleep when I responded, assumed it was an ancient C5. Sorry for the confusion caused by my statement.
John
-
Alain Péan -
Bob Hoffman -
James Matthews -
John R. Dennison -
Keith Roberts -
Scott Silva -
Spike Turner