Message-ID: <email address hidden>
Date: Sun, 9 Jan 2005 11:49:28 +0100
From: Martin Schulze <email address hidden>
To: Florian Weimer <email address hidden>
Cc: Pekka Savola <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: A backport of PHP fixes for 4.1.2
Florian Weimer wrote:
> * Martin Schulze:
>
> >> Security Fixes (OpenPKG-2004.053-php):
> >>
> >> o CAN-2004-1018:
> >> shmop_write() out of bounds memory write access.
> >> (ext/shmop/shmop.c)
> >
> > Withdrawn, not considered as vulnreability since it would require
> > a malicious script and you can do more evil things much easier with
> > a malicious script.
>
> Huh? What about safe_mode? Does CVE officially declare safe_mode as
> fundamentally insecure?
Yes (except that it's not CVE who declared but vendor-sec).
Regards,
Joey
--
In the beginning was the word, and the word was content-type: text/plain
Message-ID: <email address hidden>
Date: Sun, 9 Jan 2005 11:49:28 +0100
From: Martin Schulze <email address hidden>
To: Florian Weimer <email address hidden>
Cc: Pekka Savola <email address hidden>, <email address hidden>,
<email address hidden>
Subject: Re: A backport of PHP fixes for 4.1.2
Florian Weimer wrote: 2004.053- php):
> * Martin Schulze:
>
> >> Security Fixes (OpenPKG-
> >>
> >> o CAN-2004-1018:
> >> shmop_write() out of bounds memory write access.
> >> (ext/shmop/shmop.c)
> >
> > Withdrawn, not considered as vulnreability since it would require
> > a malicious script and you can do more evil things much easier with
> > a malicious script.
>
> Huh? What about safe_mode? Does CVE officially declare safe_mode as
> fundamentally insecure?
Yes (except that it's not CVE who declared but vendor-sec).
Regards,
Joey
--
In the beginning was the word, and the word was content-type: text/plain