Re: php vulnerability
* Christian Storch:
>> Use a backport of PHP 4.3.10. Apparently, there is no other way at
>> this stage to be sure. (Upstream no longer supports PHP 4.1.x.)
> What about a kind of fork into php4-1 for woody?
The diff from 4.3.9 to 4.3.10 is about 4,000 lines long. It contains
other changes, of course, but you still have to isolate the security
fixes. However, in the past, the PHP team neither provided clear
descriptions of security bugs, nor were the CVS log messages
enlightening. From Debian's point of view, the situation gets more
difficult as other distributions withdraw PHP 4.1.x support.
What's worse, some of the changed parts are not covered by the PHP
test suite. This means that regression testing is not possible (until
the update has been installed on a large number of machines).
> Or are there any considerations within security team about patching
> 4.1 in woody?
Probably lack of time. Fixing these bugs is not particularly
rewarding (like the Mozilla or Samba bugs). We are talking about a
person-week of work, for someone who is not familiar with the PHP code
base. Significantly less work is required if upstream is somewhat
supportive and provides a clear description of the bugs, including
proper test cases.
Most people I know have already switched to 4.3.x anyway, which makes
it less likely that someone is going to invest so much work. On the
other hand, it's certainly a great way to become one of the unsung
heroes of Debian. 8-)