[CentOS] New 4.4 install PHP security concern
hyclak at math.ohiou.edu
Wed Sep 20 17:46:04 UTC 2006
On Wed, Sep 20, 2006 at 10:09:21AM -0700, Eucke enlightened us:
> >can you demonstrate working examples of these exploits on a fully
> >updated CentOS machine ?
> This is not a vulnerability that I have discovered but one that the
> nessus security analysis program identified and is documents with the
> following RHN php security update: RHSA-2005-831. Nessus is
> recommending moving to 5.0.4. Could this be something that has been
> fixed already within the 4.3.X php versions within Centos and nessus is
> misreading this as an issue having not been compiled specifically for
> Centos but RHES4?
> If it is an existing issue I would like to figure out how to address it
> without issues...if it's not an issue then I intend to just move on. I
> tried searching the Centos bug tracker but had no luck there.
You have two questions.
First: Nessus reports probably vulnerabilities, often based on version
numbers. This is inaccurate on RHEL-based systems. Read
http://www.redhat.com/advice/speaks_backport.html for the reasons why.
Second: RHEL 4, and therefore CentOS 4, will (most likely) never have a
version of php newer than 4.3.9-something. The something will change as
security issues are fixed and backported (you did read the link above,
right?). The idea of RHEL is to provide a stable, fairly static environment,
which is patched for security holes and some features.
That said, CentOS provides the opportunity to update some of those features
through the CentOS-Plus repository. Read
http://mirror.centos.org/centos/4/centosplus/Readme.txt for more details.
So, just because nessus says it's broken doesn't mean it is.
Department of Mathematics
Department of Social Work
More information about the CentOS