Re: PHP versioning and security information
Fraser Campbell wrote:
> I have backported unstable's php 4.2.3 packages to woody and
> I've been using
> them successfully for a few months. I am rather concerned
> about security so
> I sent the following message to the php-general mailing list.
> So far I have
> no response (granted less than a full day since I posted).
> I'm wondering if
> someone here might be able to help me with my questions ...
> My questions are:
> - is php 4.2.3 vulnerable to any known security issues?
Not easy to answer unless you study the changelog from newer versions
> - what is the meaning of php's versioning scheme? I see from the
> changelogs that features are added throughout the 4.x branches. I am
> to schemes where 4.2.x would be feature frozen with just bu and security
> fixes being applied.
Yes, this is the current PHP policy.
> - is the 4.3.x branch the only one that is being maintained?
> I do not relish moving my servers from 4.2.3 to 4.3.? since I have
> encountered enough problems already with the move from 4.0.6 to 4.2.3.
> Most of the problems were from sloppy coding that should never have worked
> but hey it did work with 4.0.6 and does not work with 4.2.3. If the code
> were all mine I wouldn't be so concerned but I don't want to be telling
> clients every 6-12 months, that we're upgrading their php version and that
> things might break for them.
Yes, 4.0.6 was pretty stable, that's why so many ISPs (and SUN with their
Cobalt's) only use this version.
4.1 introduced that "SuperGlobals" (_GET, _POST, _REQUEST, _FILES, _SERVER),
that became the default to use in 4.2 (which is triggered thru php.inc, so
BC is granted).
4.3 introduced some new nifty commands (like debug_backtrace or
get_file_contents), and they started bundling the GD library, which was a
real pain to add in past versions.
IMHO there shouldn't be no more beasty changes like that in 4.0 to 4.2. From
the php-internals ML i see that most core and extension developers _do_ care
about BC whatever they do.
> Is there an official policy as to how long a branch is supported?
Bug fixes are mostly applied to the current PHP4 branch. There were some
security issues with file uploads, that were also applied to the previous
branch, but these were exeptions.
> PHP 4.2.0 is just over a year old, php 4.2.3 about 6 months old ...
And 4.3.2 was out recently, which fixed a ton of bugs. The first RC for
4.3.3 will be out next week I guess, fixing serious problems on sparcs, but
the fixes came in too late (when 4.3.2RC3 was out) and were too heavy to get
I'm not too happy with the php packages in debian, because 4.3.x is not even
in unstable (while I run most servers from testing, where 4.1.2 seems to be
For personal and client's needs, I debianized 4.3.2 (for the testing branch,
for woody this will need some tweaking) lately and offered them to the
official deb maintainer, with no answer for at least a week now. If anyone
likes to get them, I'll make them available for download somewhere (only the
diffs, not the complete debs).