On Sat, 2004-12-18 at 07:31 +0200, Pekka Savola wrote: > That is the easiest way. Has anyone actually looked, btw, how well > the security patch against 4.3.9 (e.g., from OpenPKG) applies to 4.1.2 > (RHL73) or php 4.2 (RHL9) ? > I took a look at 4.1.2 using Red Hat's test patches from bugzilla as a reference: CAN-2004-1065 applies to 4.1.2, probably needs a new patch made CAN-2004-1018 applies to 4.1.2, needs a new patch made CAN-2004-1019 is unknown. The unserialize() function in 4.1.2 is completely different, the vulnerability may not even exist. Although someone will have to use the POC and test it. CAN-2004-1063 and CAN-2004-1064 seem to apply only to threaded php servers. Red Hat is not patching php in RHEL as it is not build to support threads. I haven't checked if php in rh7.3, rh9 or fc1 is built to support threads or not. Marc.
Attachment:
signature.asc
Description: This is a digitally signed message part