RE: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload
> Andrew Suffield wrote:
> Installing unstable packages is in no sense a solution, for
> people doing serious security setups.
What should be realised of course, is that Apache recommended
moving to 1.3.19 and quite some time ago 1.3.23 - so while you
might consider the packaging to be unstable, the product is not.
PHP are supplying patches, but recommend an upgrade to 4.1.2
So we have a conflict - the people who write Apache and PHP are
recommending for production, versions that Debian has in unstable
[with PHP a brand new version that has not yet reached unstable]
I think this points to the major thing wrong with Debian.
It is a fabulous, but very hard goal to create a completely stable
distribution including thousands of packages for lots of platforms.
The result of following this goal is that Debian is dropping further
and further behind the current upstream production versions - even
for not-very-often used products like Apache and PHP4 8-)
I don't really understand why other dists are able to package up
the upstream recommended versions, but Debian cannot?
Would it be possible to create a separate archive of upstream
recommended production versions of core things like: Apache, Perl,
SSL, MySQL? I would guess that keeping a much smaller set of core
applications and libraries consistent would be easier?
Sigh - still no solution to the PHP hole...
ATM the best bet seems to be
a) building our own PHP4.1.2
b) waiting for the package maintainer.
I do note that the PHP4 package maintainer is rather active, so
I am holding out for B) atm. Have installed and tested Apache 1.3.23
which seems fine so far...
Jeff
Reply to: