Hello Rainer, On Fri, Mar 01, 2002 at 04:02:05PM +0100, Rainer Dorsch wrote: > I just got an email from our central computing center, that our web servers > run a version of apache/php which is vulnerable. Usually Debian is very good > on security issues and I thought Debian might have patched our system and the > computer center has only scanned the software version. But I did not see any > security update on php in Debian. > I checked lwn.net and found that redhat, suse, and mandrake have made > available security patches. I am wondering, if Debian is not vulnerable, if > the patch is very closed to be release, or if we have to enable the described > work arounds. > Reference: http://www.theregister.co.uk/content/55/24248.html The PHP package in Debian potato does suffer from this vulnerability. Since it's the policy of the Debian Security Team to not release security advisories until fixed packages are available on all affected architectures, no announcement has been made yet. Given that some architectures are much slower than others (unlike with many other distros who only support the newer, speedier archs), and given that the Security Team tends to keep to themselves about such matters until the announcement is ready, it may yet be some time before the fix is available. We can hope for something within the day, at least. Steve Langasek postmodern programmer
Attachment:
pgpTKoMKVnJBY.pgp
Description: PGP signature