Re: [Fed-Talk] Hypertext Preprocessor in OSX
Re: [Fed-Talk] Hypertext Preprocessor in OSX
- Subject: Re: [Fed-Talk] Hypertext Preprocessor in OSX
- From: Dave Schroeder <email@hidden>
- Date: Mon, 28 Jan 2008 11:49:03 -0600
On Jan 28, 2008, at 11:14 AM, Michael wrote:
On Jan 28, 2008, at 11:39 AM, Bojanower Chris Civ 75 CS/SCXH wrote:
I need to know how to find out what Hypertext Preprocessor is in OSX.
We have a TCNO that they feel may apply to our machines (Running
10.4.11
and 10.5.1)
Here is the basic info from the TCNO
Multiple security vulnerabilities exist in Hypertext Preprocessor
(PHP)...
Affected product: All versions of PHP except 5.2.5 or later
I assume you are running web servers or PHP would not be an issue
unless there is some other way to execute terminal commands and
thereby PHP (for example in the past it was possible to send a file
ending in jpg that actually was a terminal command, clicking on the
supposed picture would execute the command).
Use the terminal:
[my10411mac:~] user% php -v
PHP 4.4.7 (cli) (built: Jul 10 2007 13:05:18)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2004 Zend Technologies
Hopefully Apple will release a security update for this, in the
meantime if it's an issue for you, that is you are running a web
server on OS X, you'll need to download, build, and install the new
PHP just as if you had Linux distribution without the new version in
the stable distribution, unless you have some way to show that Apple
fixed that security hole.
For example, as of today Debian Linux Stable (etch) has PHP
5.2.0-8+etch7 and Debian Linux Testing (lenny) has PHP
5.2.3-1+lenny1 but as Debian back ports the security fixes from
later releases so it requires a bit of work to figure out when and
if a particular security issue has been patched in Debian Linux. I
don't have any experience with the other Linux's as to how they
handle these issues.
Please note that Apple usually backports such security fixes to the
versions of software running on particular versions of OS X. In this
case, that means Mac OS X 10.4.x will never get PHP 5.2.5 or newer;
rather, it will get these fixes backported into the PHP 4.4.x included
with OS X 10.4.x.
You're going to want to figure out exactly what vulnerabilities are
being discussed, and correlate with fixes here:
http://docs.info.apple.com/article.html?artnum=61798
That said, as someone else noted, php isn't even running on client
workstations unless the web server and php are enabled.
- Dave
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden