[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

PHP versioning and security information


I have backported unstable's php 4.2.3 packages to woody and I've been using 
them successfully for a few months.  I am rather concerned about security so 
I sent the following message to the php-general mailing list.  So far I have 
no response (granted less than a full day since I posted).  I'm wondering if 
someone here might be able to help me with my questions ...

I'm trying to figure out if the version of php that I am running is secure
against all known exploits and I am finding that task very difficult.  I
haven't been able to find a security page on either http://www.php.net/ or

My questions are:

- is php 4.2.3 vulnerable to any known security issues?

- what is the meaning of php's versioning scheme?  I see from the
  changelogs that features are added throughout the 4.x branches.  I am used
  to schemes where 4.2.x would be feature frozen with just bu and security
  fixes being applied.

- is the 4.3.x branch the only one that is being maintained?

I do not relish moving my servers from 4.2.3 to 4.3.? since I have
encountered enough problems already with the move from 4.0.6 to 4.2.3. 
Most of the problems were from sloppy coding that should never have worked
but hey it did work with 4.0.6 and does not work with 4.2.3.  If the code
were all mine I wouldn't be so concerned but I don't want to be telling
clients every 6-12 months, that we're upgrading their php version and that
things might break for them.

Is there an official policy as to how long a branch is supported?  PHP
4.2.0 is just over a year old, php 4.2.3 about 6 months old ...

Fraser Campbell <fraser@wehave.net>                 http://www.wehave.net/
Halton Hills, Ontario, Canada                             Debian GNU/Linux

Reply to: