Re: wheezy still missing php5-suhosin

To: debian-user@lists.debian.org
Subject: Re: wheezy still missing php5-suhosin
From: Joe <joe@jretrading.com>
Date: Thu, 11 Apr 2013 20:05:38 +0100
Message-id: <[🔎] 20130411200538.189a7960@jretrading.com>
In-reply-to: <[🔎] 5166F94F.7050505@affinityvision.com.au>
References: <[🔎] 5165409B.9000109@affinityvision.com.au> <[🔎] 20130410172628.GA29640@hysteria.proulx.com> <[🔎] 5165AE7D.6090504@affinityvision.com.au> <[🔎] 20130410194021.GB19032@hysteria.proulx.com> <[🔎] 51663E3A.5090705@affinityvision.com.au> <[🔎] 20130411052127.GA12005@hysteria.proulx.com> <[🔎] 516650AF.6050603@affinityvision.com.au> <[🔎] 20130411091127.3d17e819@jretrading.com> <[🔎] 5166F94F.7050505@affinityvision.com.au>

On Fri, 12 Apr 2013 03:56:31 +1000
Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> wrote:

> 
> If data is passed via forms or via GET or POST and that data isn't
> properly handled by php itself, then it may produce a buffer overrun
> situation ...  possibly before the data gets passed through to the
> webpage code; if this can be fixed by an extension or hardening patch,
> then great, if not, then we are in trouble.

That would indeed be a PHP bug, and would be found quickly. Some people
do little else with their lives but fling random data at public
interfaces to see what sticks...

> 
> I would like to know that everything that was providing protection via
> Suhosin has been incorporated into PHP core, that would be the most
> logical way to deal with the problem, rather than having 3rd party
> patches and extensions.

I would doubt that all of it has been. I think it was withdrawn because
it became difficult to use.

OK, I've just found this, which will probably answer some of your
questions:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657698#15

> 
> Actually it does appear to still be in SID:
> 
>   http://packages.debian.org/sid/php5-suhosin
> 
>

I hadn't noticed before, but the Debian packages pages show only depends
and not conflicts. If you check the properties of php5-suhosin in the
Sid apt system you will find it conflicts with php5-suhosin. No, I don't
know why it hasn't been removed from the distribution, I just remember
it being impossible to upgrade some time ago, and after leaving it for
a few weeks for the dust to settle, it was still uninstallable.

I should make clear that I'm not a commercial programmer of any kind,
and I dabble in PHP now and then only on my home server. I'm past the 'a
little knowledge' stage: I know enough about web application security
to know that I don't know anything like enough to write secure code to
present to the public, so I don't attempt it. My home web server is not
accessible from outside other than via a certificate-secured VPN.

-- 
Joe

Reply to:

References:
- wheezy still missing php5-suhosin
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: wheezy still missing php5-suhosin
  - From: Bob Proulx <bob@proulx.com>
- Re: wheezy still missing php5-suhosin
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: wheezy still missing php5-suhosin
  - From: Bob Proulx <bob@proulx.com>
- Re: wheezy still missing php5-suhosin
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: wheezy still missing php5-suhosin
  - From: Bob Proulx <bob@proulx.com>
- Re: wheezy still missing php5-suhosin
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: wheezy still missing php5-suhosin
  - From: Joe <joe@jretrading.com>
- Re: wheezy still missing php5-suhosin
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: Serveur with encrypted partition : 2 steps boot.
Next by Date: Re: Information not on relavant man page - where to find on WEB?
Previous by thread: Re: wheezy still missing php5-suhosin
Next by thread: Re: wheezy still missing php5-suhosin
Index(es):
- Date
- Thread