[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CERT Advisory CA-2002-05 Multiple Vulnerabilities in PHP fileupload

On Thu, Feb 28, 2002 at 02:56:02PM -0000, Jeff wrote:
> > Andrew Suffield wrote:
> > Installing unstable packages is in no sense a solution, for
> > people doing serious security setups.
> What should be realised of course, is that Apache recommended
> moving to 1.3.19 and quite some time ago 1.3.23 - so while you
> might consider the packaging to be unstable, the product is not.
> PHP are supplying patches, but recommend an upgrade to 4.1.2
> I don't really understand why other dists are able to package up
> the upstream recommended versions, but Debian cannot? 

It is Debian security policy to backport fixes for `stable' instead of
putting whole new package version there. And I can see several good
reasons for doing that (it was also discussed to some extent at LWN some
time ago).

I wouldn't rush to upgrade to 1.3.23/4.1.2 before it floats around for
some time. First, it may fix not all of the holes; second, fix in a
hurry could introduce more bugs. And mixing potato with unstable/testing
is no better (actually, worse) than switching to woody altogether.

As you could see, Wichert is working on fix backport, and I would wait
until he's done, and grab security update for potato.

Dmitry Borodaenko

Reply to: