Does anybody know why this "bug" is not listed in the suhosin website? , could this be a incompatibility issue bewteen openbsd and suhosin instead of being it a suhosin only issue?
Thanks On Sun, Aug 9, 2009 at 7:50 PM, William Yodlowsky<b...@openbsd.rutgers.edu> wrote: > On 9 August 2009 at 19:31, Andres Salazar <ndrsslz...@gmail.com> wrote: > >> Thanks, but in the meantime just to be safe. what options are there >> for users like me who do not want to turn transparent encryption off >> in suhosin? > > I don't know of any workarounds. > >> Is it possible to dowload the previous php5 port (5.2.6) and stay >> there, or is there any other I have? > > There are multiple vulnerabilities with the past releases. If you're > concerned because your sessions are going across the network, perhaps > you could wrap them in an ssl tunnel (stunnel). > > > >> On Sun, Aug 9, 2009 at 7:03 PM, William >> Yodlowsky<b...@openbsd.rutgers.edu> wrote: >> > On 9 August 2009 at 22:49, Stuart Henderson <st...@openbsd.org> wrote: >> > >> >> On 2009/08/09 13:13, Andres Salazar wrote: >> >> > Hello, >> >> > >> >> > I downloaded my STABLE ports on August 6th and I didnt have the >> >> > php.ini:suhosin.session.encrypt = Off by default. >> >> >> >> It is defaulting to off in a patch to the program code, not to the ini >> >> file (which wouldn't help existing users anyway). >> > >> > The code diff for -stable is waiting on an ok. > >
