[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities

On Thu, Jul 22, 2004 at 04:25:30PM +0200, Hilko Bengen wrote:

> Matt Zimmerman <mdz@debian.org> writes:
> 
> > Package        : php4
> > Vulnerability  : several
> > Problem-Type   : remote
> > Debian-specific: no
> > CVE Ids        : CAN-2004-0594 CAN-2004-0595
> >
> > [...]
> >
> > For the current stable distribution (woody), these problems have been
> > fixed in version 4.1.2-7.
> 
> Why has a new Debian version been introduced? Previous security fixes
> followed a numbering scheme 4.1.2-6woody$i, the last version being
> 4.1.2-6woody3.

That scheme is used for non-maintainer uploads.  The maintainer prepared
this package, however, and chose to use 4.1.2-7.

> Moreover, php4-curl 4.1.2-7 depends on libcurl2-ssl, where php4-curl
> 4.1.2-6woody3 depended on libcurl2. I haven't seen anything break on
> my machines so far, but I consider this a substantial change for which
> I see no connection to the security fixes.

This was an error in the build process, and is being corrected.

-- 
 - mdz
Reply to: