[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PHP 4.1.2

On Wed, 22 Dec 2004 23:42:13 +0100
Philipp Kern <phil@philkern.de> wrote:

> On 22. Dec 2004, at 23:12 Uhr, Jason Lim wrote:
> > Little bugfixes and even local exploits... okay... i can understand 
> > there
> > is less urgency. But for REMOTELY exploitable vulnerabilities, i
> > think there is a much greater urgency and importance.
> 
> For serious PHP deployment you would consider an actual version, not
> the one you could find in stable.
> 
> > I wish we could get an update if they are even _WORKING_ on a PHP 
> > update,
> > or if they have just thrown in the towel and said "we're not going
> > to patch this". If thats the case, we'll upgrade, but not otherwise.
<snip>

> By the way I bet there are a lot more flaws in
> this plain
> old version which got fixed on the long way to 4.3.
> 
> In my opinion it is not worth to backport PHP 4.3 to stable as sarge 
> *should*
> be released as soon as security team support is available.

You make it sound like the version in Sarge has these security
vulnerabilities fixed. Except, it's still 4.3.9 - instead of 4.3.10
which is supposed to fix this problem.

And no, I'm not complaining, though I do hope we're able to get the
security update soon.

Jacob
Reply to: