[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian PHP upgrade

Andile Ntebe <ANtebe@Acceleration.biz> writes:

> Hi
> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
> The below vulnerabilities seem to affect this version:

You seem not to have noticed that Debian fixes security issues in stable
versions of our packages, so you're comparing the version that Apache
would tell you is vulnerable without noticing the faxes that have been
applied since then by the Debian security team.

I suggest that you take your list of CVEs and see if any of them are not
mentioned as having been fixed in the Debian changelog:


(I'm guessing that if you've been upgrading as hard as you can, and
still have 2.2.22 then you're using Debian 7, a.k.a "wheezy" -- look in
/etc/debian_version where you should see "7.8")

Anyway, you need to note that the Debian version of Apache that you are
running is not 2.2.22, but rather 2.2.22-13+deb7u4, so that is the 13th
version of the package that's been built by the package maintainer, many
of which added fixed for CVEs, taking us to version 2.2.22-13, followed
by four more uploads that backport fixes to Debian 7  (deb7u1..deb7u4)
each of which adds more CVE fixes.

Upgrading to the latest version of something to fix security bugs
carries with it the potential to introduce new unexpected behaviours,
and that may result in things breaking, which is why we backport
security fixes instead of just asking everyone to upgrade and hoping for
the best.

> Is there a way for us to update to the latest version?

There certainly is -- you can choose to run our testing or unstable
branches, rather than stable, but hopefully now you know why you should
not be fretting about this.

Cheers, Phil.
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Attachment: signature.asc
Description: PGP signature

Reply to: