PHP Vulnerability Announced

corz writes "Just when you thought you were finished upgrading the webserver, 'The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.' Here's the bugtraq announcement." The hole is in the parsing of HTTP POST headers and can allow arbitrary code to be run on vulnerable machines. PHP thoughtfully decided to release a new version, 4.2.2, today with the fix. You can find a copy of it here (mirror).

Why I love freebsd.

[mike13down]

I'm not sure how long it took, but the freebsd ports have already been updated.
Since the admins over at NYI.net showed me the light, I have been installing FreeBSD on every machine I can get my hands on, even if they are'nt mine.

IA32 "safe" from this?

[Dr.Dubious+DDQ]

If I read the bugtraq announcement correctly, on IA32 (including, I assume, my K6-2 Linux Box hosting the webserver) is "safe" from remote code execution (but the server can still be crashed by the exploit). Did I read that right?...

Re:Why is this not front-page?

[quinto2000]

Here's one reason:

Impact

Both local and remote users may exploit this vulnerability to compromise
the web server and, under certain conditions, to gain privileged access.
So far only the IA32 platform has been verified to be safe from the
execution of arbitrary code. The vulnerability can still be used on IA32
to crash PHP and, in most cases, the web server.

This isn't really a problem on the most widely used platforms for PHP. I was looking to see if the new Debian package had been uploaded yet, but now I'm not even going to bother. I don't care if someone "may" crash the webserver that much.