[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: php vulnerability

Florian Weimer wrote:
* Christian Storch:
> > Use a backport of PHP 4.3.10.  Apparently, there is no other way at
> > this stage to be sure.  (Upstream no longer supports PHP 4.1.x.)
> What about a kind of fork into php4-1 for woody?

The diff from 4.3.9 to 4.3.10 is about 4,000 lines long.  It contains
other changes, of course, but you still have to isolate the security
fixes.  However, in the past, the PHP team neither provided clear
descriptions of security bugs, nor were the CVS log messages
enlightening.  From Debian's point of view, the situation gets more
difficult as other distributions withdraw PHP 4.1.x support.

What's worse, some of the changed parts are not covered by the PHP
test suite.  This means that regression testing is not possible (until
the update has been installed on a large number of machines).

Or are there any considerations within security team about patching
4.1 in woody?

We are talking about a
person-week of work, for someone who is not familiar with the PHP code
base.  Significantly less work is required if upstream is somewhat
supportive and provides a clear description of the bugs, including
proper test cases.

I'm sure saying this won't win my any friends, but should software that the security team is unable to support have a place in a stable release of Debian?

The discussion about volitile.debian.org showed that a newer branch of software can't very well be backported to Stable when upstream drops support for the version that Stable includes, so that's not an option. To mention nothing about maintaining the Stability of a stable release.

But perhaps it would be best to mark software that is unsupportable as such? If I ran "apt-get install php4" on a newly installed system, it would be nice to see a message stating something like:

"The software you are installing contains known security flaws, and is no longer supported by upstream. Since the changes necessary to fix the flaws are too great to be allowed into a stable Debian release. We recommend that you do not install php4 from the stable archive. Instead, find a backport or otherwise install the latest version yourself."

In fact, does anyone keep a list of software with problems of this nature?


Sam Morris

Reply to: