PHP versioning and security information
Hi,
I have backported unstable's php 4.2.3 packages to woody and I've been using
them successfully for a few months. I am rather concerned about security so
I sent the following message to the php-general mailing list. So far I have
no response (granted less than a full day since I posted). I'm wondering if
someone here might be able to help me with my questions ...
I'm trying to figure out if the version of php that I am running is secure
against all known exploits and I am finding that task very difficult. I
haven't been able to find a security page on either http://www.php.net/ or
http://www.zend.com/
My questions are:
- is php 4.2.3 vulnerable to any known security issues?
- what is the meaning of php's versioning scheme? I see from the
changelogs that features are added throughout the 4.x branches. I am used
to schemes where 4.2.x would be feature frozen with just bu and security
fixes being applied.
- is the 4.3.x branch the only one that is being maintained?
I do not relish moving my servers from 4.2.3 to 4.3.? since I have
encountered enough problems already with the move from 4.0.6 to 4.2.3.
Most of the problems were from sloppy coding that should never have worked
but hey it did work with 4.0.6 and does not work with 4.2.3. If the code
were all mine I wouldn't be so concerned but I don't want to be telling
clients every 6-12 months, that we're upgrading their php version and that
things might break for them.
Is there an official policy as to how long a branch is supported? PHP
4.2.0 is just over a year old, php 4.2.3 about 6 months old ...
Thanks,
--
Fraser Campbell <fraser@wehave.net> http://www.wehave.net/
Halton Hills, Ontario, Canada Debian GNU/Linux
Reply to: