derickr, 26 days ago

@ramsey Harder G than J though, but not like the CH in the Scottish Loch.

kboyd, 26 days ago

@derickr @ramsey are we talking about ghee lib see?

derickr, 26 days ago

@kboyd @ramsey Yes.

j3j5, 26 days ago

@ramsey is this about the CVE? Do we know already if there are specific mitigations for PHP apps?

ramsey, 26 days ago

@j3j5 This has nothing to do with the CVE.

The specific mitigation for PHP apps is to upgrade PHP to the latest version that contains the security patches.

j3j5, 26 days ago

@ramsey ok, thanks, because I could only find people talking about the upcoming talk but nothing on actual mitigations (except update glibc), but nothing PHP specific.

"gee lib see" for me ✋

ramsey, 26 days ago

@j3j5 What upcoming talk?

j3j5, 26 days ago

@ramsey this https://www.offensivecon.org/speakers/2024/charles-fol.html

ramsey, 26 days ago

@j3j5 I don’t recognize what he’s describing in the talk description. Do you know the CVE number? Is what he describes listed here? https://github.com/php/php-src/security/advisories

j3j5, 26 days ago

@ramsey it's this one CVE-2024-2961 https://security-tracker.debian.org/tracker/CVE-2024-2961

ramsey, 26 days ago

@j3j5 Oh, okay. So, it’s specifically in glibc and not in PHP. I don’t know of any mitigations to apply to PHP source code for this, but users should upgrade glibc immediately (which will require rebuilding the PHP binaries).

j3j5, 26 days ago

@ramsey ok, so I guess that updating glibc only isn't enough for now, I'd need to either compile from source or wait for a recompiled version from my distro or repo, am I understanding correctly?

ramsey, 26 days ago

@j3j5 I’m sorry. I don’t know enough about how the distro packages work, so I can’t offer an authoritative response on this. I’d ask @ondrej, since he’s the one who would know best (at least for Debian). 🙂

ondrej, 26 days ago

@ramsey @j3j5 The security fixes get uploaded to the security server by the package maintainer and the security team processes the updates. Usually, the processing is quite fast for high severity bugs, but maybe the was not enough people over the weekend? I would give it a day - but I don’t have any insider information really…

ramsey, 26 days ago

@ondrej @j3j5 So, it should automatically build updated packages for all of its dependencies (including PHP)?

ondrej, 26 days ago

@ramsey @j3j5 Unless I am missing something, that’s why we ditched static linking and only have dynamic linking, so only service (not system) restart after an upgrade is required.

Well, until some languages like Go thought it’s a good idea to embed a security vulnerability into zillion downstream packages - complete rebuild would be needed for those languages, but not for glibc…

ramsey, 26 days ago

@ondrej @j3j5 Got it. I thought when the dynamic library was rebuilt, all dependencies needed to be rebuilt, but maybe that’s not the case since the ABI doesn’t change.

derickr, 26 days ago

@ondrej @ramsey @j3j5 Doesn't Go do everything static besides glibc?

derickr, 26 days ago

@j3j5 @ramsey It should be enough to upgrade glibc as nobody links it statically into PHP.

j3j5, 26 days ago

@derickr @ramsey thanks! that's what I understood from the other replies from Ondřej as well.

outofcontrol, 25 days ago

@derickr @j3j5 @ramsey Thanks Derick. No need to recompile PHP then?

derickr, 25 days ago

@outofcontrol @j3j5 @ramsey I don't believe so

j3j5, 26 days ago

@ramsey also, sorry for assuming you were talking about this but I just finished reading about it and saw you asking about glibc, on my mind IT HAD to be related

ramsey, 26 days ago

@j3j5 No worries. Just a coincidence. 😁

uberbrady, 26 days ago

@ramsey Curious how this breaks down on age - there was “lib-see” and then later there was “Jee-lib-see” - so Olds might tend towards that pronunciation (I don't know if I parsed "gee-lib-see” right. Gee, like "ghee”? or "gee" like "Gee whiz!”)

ramsey, 26 days ago

@uberbrady I was thinking of a soft G, as in GIF. 😉

(jee)

alda, 26 days ago

@ramsey Ghie leeb shee.