[nycphp-talk] SecurityFocus Newsletter #297
Flavio daCosta
nyphp at n0p.net
Wed May 4 21:22:51 EDT 2005
On Wed, 2005-05-04 at 20:18 -0400, Hans Zaunere wrote:
> > SecurityFocus Newsletter #297
> >
> > PHP
> > ---
> > PHP Group PHP Multiple Unspecified Vulnerabilities [in 4.3.11 and 5.0.3]
> > http://www.securityfocus.com/bid/13143
>
> Can someone explain this one to me? There is no exploit, no description,
> no nothing... and this is far from the first time that security focus
> publishes these types of exploits, PHP or not.
As to the authoritative answer to why they include it, I do not know,
but here is my assumption.
In the PHP 4.3.11 Release Announcement they mention "...addresses
several security issues inside the exif and fbsql extensions as well as
the unserialize(), swf_definepoly() and getimagesize() functions"
http://www.php.net/release_4_3_11.php
Also reviewing the ChangeLog and with all the _bug_ fixes one can only
assume that many of these _could_ be potential vulnerabilities.
http://www.php.net/release_4_3_11.php
http://www.php.net/ChangeLog-5.php#5.0.4
All this coupled with their desire to be an definitive source for
security/update information, I can see why they would identify version
upgrades regardless of whether there is a known vulnerability/exploit.
Just my opinion.
Flavio
More information about the talk
mailing list