Re: php vulnerability

To: debian-security@lists.debian.org
Subject: Re: php vulnerability
From: Sam Morris <sam@robots.org.uk>
Date: Tue, 21 Dec 2004 16:35:06 +0000
Message-id: <[🔎] cq9jbc$fhj$1@sea.gmane.org>
In-reply-to: <[🔎] 87hdmfg5jj.fsf@deneb.enyo.de>
References: <[🔎] 20041221064828.83457.qmail@web51706.mail.yahoo.com> <[🔎] 873by02eug.fsf@deneb.enyo.de> <[🔎] 1393.212.89.97.147.1103623957.squirrel@212.89.97.147> <[🔎] 87hdmfg5jj.fsf@deneb.enyo.de>

Florian Weimer wrote:

* Christian Storch:
> > Use a backport of PHP 4.3.10.  Apparently, there is no other way at
> > this stage to be sure.  (Upstream no longer supports PHP 4.1.x.)
>
> What about a kind of fork into php4-1 for woody?

The diff from 4.3.9 to 4.3.10 is about 4,000 lines long.  It contains
other changes, of course, but you still have to isolate the security
fixes.  However, in the past, the PHP team neither provided clear
descriptions of security bugs, nor were the CVS log messages
enlightening.  From Debian's point of view, the situation gets more
difficult as other distributions withdraw PHP 4.1.x support.

What's worse, some of the changed parts are not covered by the PHP
test suite.  This means that regression testing is not possible (until
the update has been installed on a large number of machines).

Or are there any considerations within security team about patching
4.1 in woody?


We are talking about a
person-week of work, for someone who is not familiar with the PHP code
base.  Significantly less work is required if upstream is somewhat
supportive and provides a clear description of the bugs, including
proper test cases.

I'm sure saying this won't win my any friends, but should software thatthe security team is unable to support have a place in a stable releaseof Debian?

The discussion about volitile.debian.org showed that a newer branch ofsoftware can't very well be backported to Stable when upstream dropssupport for the version that Stable includes, so that's not an option.To mention nothing about maintaining the Stability of a stable release.

But perhaps it would be best to mark software that is unsupportable assuch? If I ran "apt-get install php4" on a newly installed system, itwould be nice to see a message stating something like:

"The software you are installing contains known security flaws, and isno longer supported by upstream. Since the changes necessary to fix theflaws are too great to be allowed into a stable Debian release. Werecommend that you do not install php4 from the stable archive. Instead,find a backport or otherwise install the latest version yourself."


In fact, does anyone keep a list of software with problems of this nature?

Regards,

--
Sam Morris

Reply to:

Follow-Ups:
- Re: php vulnerability
  - From: "Christian Storch" <storch@infra.net>

References:
- Re: php vulnerability
  - From: saravanan ganapathy <sarav_gsa@yahoo.com>
- Re: php vulnerability
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: php vulnerability
  - From: "Christian Storch" <storch@infra.net>
- Re: php vulnerability
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: php vulnerability
Next by Date: Re: php vulnerabilities
Previous by thread: Re: php vulnerability
Next by thread: Re: php vulnerability
Index(es):
- Date
- Thread