[WBEL-users] Severe PHP vulnerability??

[Johnny Hughes]

On Sat, 2004-12-18 at 16:18 -0500, jk42@bitbuckets.com wrote:
> Hello all,
> 
> By now I'm sure everyone is aware of the major vulnerability with PHP
> versions prior to 4.3.9 or 5.0.2.  There are actually a number of
> different problems, but all (except one, which is currently being
> exploited) are only problems for hosts which allow users to create their
> own PHP pages.  The one remotely exploitable attack, which deals with the
> unserialize() call (and on Athlon64 systems has been demonstrated to
> execute shell code with the privileges of the web server process), is
> widely used.
> 
> http://www.hardened-php.net/advisories/012004.txt
> 
> What are other WBEL users doing to protect themselves?  The only updates I
> have found are source code downloads of PHP 4.3.10 or 5.0.3, and from what
> I hear it's a royal pain to recomple PHP and all the drivers.  WBEL has
> version 4.3.2.
> 
> Does anyone know of a solution to this, while we wait for RedHat to
> release an official RHEL fix?  Does someone know where the unserialize
> problem is and how to fix it - perhaps I could backport the fix to the
> 4.3.2 WBEL packages.  I'll do some research and let everyone know.

These packages are released, but unsupported for RHEL3:

http://people.redhat.com/jorton/Taroon-php/