Hi there,
Some days ago there was an integer overflow vulnerability posted for php
5.2.1 and earlier
(http://www.freebsd.org/ports/portaudit/f6377f08-12a7-11dd-bab7-0016179b2dd5.html).
I immediately upgraded my php to 5.2.1_1 but portaudit still complains
that the vulnerability still exists:
[root@myserver ~]# portaudit -a
Affected package: php5-5.2.5_1
Type of problem: php -- integer overflow vulnerability.
Reference:
<http://www.FreeBSD.org/ports/portaudit/f6377f08-12a7-11dd-bab7-0016179b2dd5.html>
1 problem(s) in your installed packages found.
You are advised to update or deinstall the affected package(s)
immediately.
However, I cannot upgrade any further as 5.2.5_1 *is* the version that
was supposed to fix this:
[root@myserver ~]# portupgrade -nv php5
---> Session started at: Thu, 01 May 2008 10:19:33 +0200
** No need to upgrade 'php5-5.2.5_1' (>= php5-5.2.5_1). (specify
-f
to force)
---> ** Upgrade tasks 1: 0 done, 1 ignored, 0 skipped and 0 failed
---> Listing the results (+:done / -:ignored / *:skipped / !:failed)
- lang/php5 (php5-5.2.5_1)
---> Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed
---> Session ended at: Thu, 01 May 2008 10:19:36 +0200 (consumed
00:00:02)
Looking closer at the information given in the above URL the
vulnerability specifies that all "php5 >0" is affected, which to me
means that all php5 versions until all eternity will be marked
vulnerable, not only those <= 5.2.1.
Can somebody please fix the CVE or tell me what I'm doing wrong? I don't
want to get into the habit of ignoring portaudit reports as that's
clearly *bad* practise.
Gunther