[CentOS] Re: New 4.4 install PHP security concern

Wed Sep 20 17:24:11 UTC 2006
Ugo Bellavance <ugob at camo-route.com>

Eucke wrote:
>> can you demonstrate working examples of these exploits on a fully 
>> updated CentOS machine ?
> This is not a vulnerability that I have discovered but one that the 
> nessus security analysis program identified and is documents with the 
> following RHN php security update: RHSA-2005-831.  Nessus is 
> recommending moving to 5.0.4.  Could this be something that has been 
> fixed already within the 4.3.X php versions within Centos and nessus is 
> misreading this as an issue having not been compiled specifically for 
> Centos but RHES4?
> If it is an existing issue I would like to figure out how to address it 
> without issues...if it's not an issue then I intend to just move on.  I 
> tried searching the Centos bug tracker but had no luck there.

Did nessus also tell you that some vendors backport some patches so that 
if they only look at the package name, they can't really know if the 
vuln is fixed or not.

The current version of PHP for centos3 is php-4.3.2-33.ent, which is a 
lot newer than the 4.3.2-26 that they mention in the advisory.  So if 
4.3.2-26 has the fix, it is more than highly likely that 
php-4.3.2-33.ent has it.