atom feed4 messages in org.freebsd.freebsd-securityRe: Question on recent PHP VuXML info
FromSent OnAttachments
Andrew StormsSep 8, 2008 8:33 am 
Jille TimmermansSep 8, 2008 9:07 am 
Jeremy ChadwickSep 8, 2008 9:18 am 
Simon L. NielsenSep 9, 2008 1:49 pm 
Subject:Re: Question on recent PHP VuXML info
From:Simon L. Nielsen (sim@FreeBSD.org)
Date:Sep 9, 2008 1:49:59 pm
List:org.freebsd.freebsd-security

On 2008.09.08 09:18:18 -0700, Jeremy Chadwick wrote:

On Mon, Sep 08, 2008 at 08:33:49AM -0700, Andrew Storms wrote:

Not sure if this is the correct place for VuXML questions, but the FreeBSD VuXML list ( http://lists.freebsd.org/pipermail/freebsd-vuxml/) looks pretty dead given the last update was in 2007 according to the archives.

We were previously tracking this entry, which pretty much sat for a while without an applicable upgradeable resolution available.

While I haven't looked into the details of this particular entry, Jille and Jeremy did that well, I just want to take this opportunity to point out that "safe_mode" is broken... From the particular entry:

It should be noted that this vulnerability is not considered to be serious by the FreeBSD Security Team, since safe_mode and open_basedir are insecure by design and should not be relied upon.

We (secteam) have seriously debated if it was worth documenting "safe_mode" issues at all, but the compromise was just to add something similar to the above text.