On 21.12.2004 12:33 -0800, Trent the Uncatchable wrote:
> First time post, long time reader... :-)
> I've noticed some reports on some recently discovered
> bugs in PHP. What kind of issues might there be with
> M0n0wall? Are there any?
To me it doesn't look like any of that applies to m0n0wall. We don't
use safe_mode, and we only use (un)serialize() for the config cache
(= our own data). pack() is being used by the captive portal, but as
far as I can tell from the code diff, the pack() vulnerability only
applies to malformed format strings, which are fixed and don't depend
on user input in m0n0wall.
Don't forget that unless you're using the captive portal, nobody can
even get to the PHP pages on m0n0wall without authentication (which
is handled by mini_httpd). Nonetheless, we'll of course upgrade to
4.3.10 in the next release.
Let me know if there's any indication that one of these bugs might
indeed apply to m0n0wall.