[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: php vulnerability

Am Dienstag, den 21.12.2004, 14:11 +0100 schrieb Florian Weimer:

> The diff from 4.3.9 to 4.3.10 is about 4,000 lines long.  It contains
> other changes, of course, but you still have to isolate the security
> fixes.  However, in the past, the PHP team neither provided clear
> descriptions of security bugs, nor were the CVS log messages
> enlightening.  From Debian's point of view, the situation gets more
> difficult as other distributions withdraw PHP 4.1.x support.

That is a real problem for some software. Issuing security updates for
"older" software is sometimes a real pain. The last Samba problems
couldn't easily be adopted to "older" versions like 3.0.5. I got many
rejects there when trying to build a new package for Adamantix (based on
Debian), when using the official Samba patch. I didn't finish this
security package yet...

It came to my mind that one maybe should concentrate the efforts of
people working on such security backports in one central repository.
That might really help to support older software and concentrate the
work on security updates of all different flavours of Linux/BSD/...

Is there something aroung like CAN/CVE for security patches=

> base.  Significantly less work is required if upstream is somewhat
> supportive and provides a clear description of the bugs, including
> proper test cases.

I fully agree. 

Torge Szczepanek <debian-security@szczepanek.de>

Reply to: