Andrew McGlashan wrote: > To cut a long story short, if PHP upstream has incorporated the features > of Suhosin, then we should be fine; is it the final conclusion from that > long thread and all the references from it, that we are in good shape > with 5.4.4 -- better than pre 5.4 with Suhosin? To be honest I have not read through all of that information myself yet in enough detail to know one way or the other. It really needs the skills of an upstream interpreter developer to know. I would love to hear from someone who is familiar with the code well enough to make an intelligent summary. What I have read (caution unverified) is that the PHP interpreter isn't intrinsically insecure. It only becomes that way when used with insecure php code. Which makes sense. Any upstream interpreter vulnerability would have a CVE number associated with it that would be tracked. I see people calling for those reports but none are being provided for any current vulnerabilities. Bob
Attachment:
signature.asc
Description: Digital signature