Matthew Thompson ([EMAIL PROTECTED]) said: > Thanks for the reply, Adam. Seeing as I'm really only a quasi-nerd :), > can you tell me just how serious the security hole is? I can use Pine for > my email on the server in question, but I was just about to set up IMP as > the primary mail system here at work, and I obviously don't want to do > that if users can't send messages or if there's a significant security > hole.
It's a remote root exploitable bug. The published temp fix with the (old) exploitable version is to disable error logging to avoid the format string problems. You can do this by making sure your /etc/php3/apache/php3.ini has the line: log_errors = Off It's up to you to assess if you want imp to work with the old version and no error logging (which I think is default on debian) or if it's too risky. .adam -- [ <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> ] [ icq #3354423 | lazur.org | clustermonkey.org ]
