Re: php vulnerability
Florian Weimer wrote:
* Christian Storch:
> > Use a backport of PHP 4.3.10. Apparently, there is no other way at
> > this stage to be sure. (Upstream no longer supports PHP 4.1.x.)
> What about a kind of fork into php4-1 for woody?
The diff from 4.3.9 to 4.3.10 is about 4,000 lines long. It contains
other changes, of course, but you still have to isolate the security
fixes. However, in the past, the PHP team neither provided clear
descriptions of security bugs, nor were the CVS log messages
enlightening. From Debian's point of view, the situation gets more
difficult as other distributions withdraw PHP 4.1.x support.
What's worse, some of the changed parts are not covered by the PHP
test suite. This means that regression testing is not possible (until
the update has been installed on a large number of machines).
Or are there any considerations within security team about patching
4.1 in woody?
We are talking about a
person-week of work, for someone who is not familiar with the PHP code
base. Significantly less work is required if upstream is somewhat
supportive and provides a clear description of the bugs, including
proper test cases.
I'm sure saying this won't win my any friends, but should software that
the security team is unable to support have a place in a stable release
The discussion about volitile.debian.org showed that a newer branch of
software can't very well be backported to Stable when upstream drops
support for the version that Stable includes, so that's not an option.
To mention nothing about maintaining the Stability of a stable release.
But perhaps it would be best to mark software that is unsupportable as
such? If I ran "apt-get install php4" on a newly installed system, it
would be nice to see a message stating something like:
"The software you are installing contains known security flaws, and is
no longer supported by upstream. Since the changes necessary to fix the
flaws are too great to be allowed into a stable Debian release. We
recommend that you do not install php4 from the stable archive. Instead,
find a backport or otherwise install the latest version yourself."
In fact, does anyone keep a list of software with problems of this nature?