[CentOS] php 5.1.6 vulnerability in CentosPlus repo

Sun Jul 3 12:56:00 UTC 2011
John R. Dennison <jrd at gerdesas.com>

On Sun, Jul 03, 2011 at 09:28:03AM +0100, Spike Turner wrote:
> 
> I'm running it on an internal box not accessible from the internet. I
> do run a yum update and that seems to be the latest CentOS Plus
> version.

You never said it wasn't facing the internet.

And it's not been updated in nearly 3 years so it has nearly 3 years of
exploits and bug fixes that have not been addressed.  While this may not
directly impact you the fact remains that the package is ancient, poses a
risk, and just like the 5.2.X in c5-testing should be removed due to
lack of upstream support.

> You can see that the kernels are updated but the php is not, so I
> don't see why you said I should consider "running a yum update once in
> a while". 

Because I didn't notice the C4 part of this.  I've exactly one C4 box
still in operation; the rest were migrated to 5 quite some time back.  I
initially saw 5.1.6 and, due to being  half asleep when I responded,
assumed it was an ancient C5.  Sorry for the confusion caused by my
statement.




							John

-- 
Normal is getting dressed in clothes that you buy for work and driving
through traffic in a car that you are still paying for -- in order to get
to the job you need to pay for the clothes and the car, and the house you
leave vacant all day so you can afford to live in it.

-- Ellen Goodman (1941-), American journalist and
   Pulitzer Prize-winning syndicated columnist



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20110703/6f63b873/attachment-0005.sig>