Re: [SECURITY] [DSA 531-1] New php4 packages fix multiple vulnerabilities
On Thu, Jul 22, 2004 at 04:25:30PM +0200, Hilko Bengen wrote:
> Matt Zimmerman <email@example.com> writes:
> > Package : php4
> > Vulnerability : several
> > Problem-Type : remote
> > Debian-specific: no
> > CVE Ids : CAN-2004-0594 CAN-2004-0595
> > [...]
> > For the current stable distribution (woody), these problems have been
> > fixed in version 4.1.2-7.
> Why has a new Debian version been introduced? Previous security fixes
> followed a numbering scheme 4.1.2-6woody$i, the last version being
That scheme is used for non-maintainer uploads. The maintainer prepared
this package, however, and chose to use 4.1.2-7.
> Moreover, php4-curl 4.1.2-7 depends on libcurl2-ssl, where php4-curl
> 4.1.2-6woody3 depended on libcurl2. I haven't seen anything break on
> my machines so far, but I consider this a substantial change for which
> I see no connection to the security fixes.
This was an error in the build process, and is being corrected.